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We present a full-spectrum dependently typed core language which includes both nontermination and 
computational irrelevance (a.k.a. erasure), a combination which has not been studied before. The two 
features interact: to protect type safety we must be careful to only erase terminating expressions. Our 
language design is strongly influenced by the choice of CBV evaluation, and by our novel treatment 
of propositional equality which has a heterogeneous, completely erased elimination form. 

1 Introduction 

The Trellys project is a collaborative effort to design a new dependently typed programming language. 
Our goal is to bridge the gap between ordinary functional programming and program verification with 
dependent types. Programmers should be able to port their existing functional programs to Trellys with 
minor modifications, and then gradually add more expressive types as appropriate. 

This goal has implications for our design. First, and most importantly, we must consider nonter- 
mination and other effects. Unlike Coq and Agda, functional programming languages like OCaml and 
Haskell allow general recursive functions, so to accept functional programs 'as-is' we must be able to 
turn off the termination checker. We also want to use dependent types even with programs that may 
diverge. 

Second, the fact that our language includes effects means that order of evaluation matters. We choose 
call-by-value order, both because it has a simple cost model (enabling programmers to understand the 
running time and space usage of their programs), and also because CBV seems to to work particularly 
well for nonterminating dependent languages (as we explain in section [FT] ). 

Finally, to be able to add precise types to a program without slowing it down, we believe it is essential 
to support computational irrelevance — expressions in the program which are only needed for type- 
checking should be erased during compilation and require no run-time representation. We also want to 
reflect irrelevance in the type system, where it can also help reason about a program. 
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These three features interact in nontrivial ways. Nontermination makes irrelevance more compli- 
cated, because we must be careful to only erase terminating expressions. On the other hand CBV helps, 
since it lets us treat variables in the typing context as terminating. 

To study this interaction, we have designed a full-spectrum, dependently-typed core language with a 
small-step call-by-value operational semantics. This language is inconsistent as a logic, but very expres- 
sive as a programming language: it includes general recursion, datatypes, abort, large eliminations and 
"Type-in-Type". 

The subtleties of adding irrelevance to a dependent type system all have to do with equality of ex- 
pressions. Therefore many language design decisions are influenced by our novel treatment of prepo- 
sitional equality. This primitive equality has two unusual features: it is computationally irrelevant 
(equality proofs do not need to be examined during computation), and it is "very heterogenous" (we can 
state and use equations between terms of different types). 

This paper discusses some of the key insights that we have gained in the process of this design. In 
particular, the contributions of this paper include: 

1. The presence of nontermination means that the application rule must be restricted. This paper 
presents the most generous application rule to date (section |2~T] ). 

2. Our language includes a primitive equality type, which may be eliminated in an irrelevant manner 
(section |2.2|). 



3. The equality type is also "very heterogenous" (section 2.4 1, and we design a new variation of the 



elimination rule, "ra-ary conv", to better exploit this feature (section 2.5 1. We also discuss how to 



add type annotations to this rule (section 2.6 ). 



4. We support irrelevant arguments and data structure components. We show by example that in 
the presence of nontermination/abort the usual rule for irrelevant function application must be 



restricted, and propose a new rule with a value restriction (section 2.3 1. 
5. We prove that our language is type safe (section[3]>. 

The design choices for each language feature affects the others. By combining concrete proposals 
for evaluation-order, erasure, and equality in a single language, we have found interactions that are not 
apparent in isolation. 



1.1 CBV, nontermination, and "partial correctness" 

There is a particularly nice fit between nonterminating dependent languages and CBV evaluation, be- 
cause the strictness of evaluation partially compensates for the fact that all types are inhabited. 
For example, consider integer division. Suppose the standard library provides a function 

div : Nat — S- Nat -> Nat 

which performs truncating division and throws an error if the divisor is zero. If we are concerned about 
runtime errors, we might want to be more careful. One way to proceed is to define a wrapper around div, 
which requires a proof of div's precondition that the denominator be non-zero: 

safediv : Nat — > (y:Nat) — > (p: isZero y = false) — > Nat 
saf ediv = Ax:Nat .Ay:Nat .Ap: (isZero y=false).div x y 

Programs written using safediv are guaranteed to not divide by zero, even though our language is 
inconsistent as a logic. This works because A -abstractions are strict in their arguments, so if we provide 
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an infinite loop as the proof in saf ediv 1 loop the entire expression diverges and never reaches the 
division. In the saf ediv example, strictness was a matter of expressivity, since it allowed us to maintain 
a strong invariant. But when type conversion is involved, strictness is required for type safety. For 
example, if a purported proof of Bool = Nat were not evaluated strictly, we could use an infinite loop as 
a proof and try to add two booleans. This is recognized by, e.g. GHC Core, which does most evaluation 
lazily but is strict when computing type-equality proofs ll28Tl . 

While strict A -abstractions give preconditions, strict data constructors can be used to express post- 
conditions. For example, we might define a datatype characterizing what it means for a string (repre- 
sented as a list of characters) to match a regular expression 

data Match : String — > Regexp — > * where 

MChar : (x:Char) -> Match (x::nil) (RCh x) 
MStarO : (r: Regexp) -> Match (nil) (RStar r) 
MStarl : (r: Regexp) — > (s s':String) — > 
Match s r^ Match s' (RStar r) ->• Match (s ++s') (RStar r) 

and then define a regexp matching function to return a proof of the match 
match : (s:String) — > (r :Regexp) — > Maybe (Matches s r) 

Such a type can be read as a partial correctness assertion: we have no guarantee that the function will 
terminate, but if it does and says that there was a match, then there really was. Even though we are 
working in an inconsistent logic, if the function returns at all we know that the constructors of Match 
were not given bogus looping terms. 

Compared to normalizing languages, the properties our types can express are limited in two ways. 
First, of course, there is no way to state total correctness. Second, we are limited to predicates that can 
be witnessed by a first-order type like Match. In Coq or Agda we could give match the more informative 
type 

match : (s:String) — > (r :Regexp) — > Either (Matches s r) (Matches s r— >False) 

which says that it is a decision-procedure. But in our language a value of type Matches s r — > False is 
not necessarily a valid proof, since it could be a function that always diverges when called. 



2 Language Design 

We now go on to describe the syntax and type system of our language, focusing on its novel contributions. 

The syntax of the language is shown in figure [T] Terms, types, and sorts are collapsed into one 
syntactic category as in the presentation of the lambda cube [6], but by convention we use uppercase 
metavariables A, B for expressions that are types. Some of the expressions are standard: the type of types 
* 0, variables, recursive definitions, error, the usual dependent function type, function definition, and 
function application. The language also includes expressions dealing with irrelevance, datatypes, and 
propositional equality; these will be explained in detail in the following subsections. 



The typing judgment is written r h a : A. The full definition can be found in appendix A.5 In the rest 
of the paper we will highlight the interesting rules when we describe the corresponding language features. 
The typing contexts T are lists containing variable declarations and datatype declarations (discussed in 
section : 



2.3): 



r::= • | F,x :A | r, data DA+ where {d t : A f -> DA+' e '" J } 
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x ,y,fiP £ variables 

D G data types, including Nat 

d G constructors, including and S 

i, j G natural numbers 



expressions a,b,A,B ::= 



telescopes 
expression lists 
conv proofs 



A 

al 
P 



★ | x | rec/ : A.a | aborts 

(x:A) ->■ £ | Ax : A.a | a 6 
[x:A] -»• B | A[x:A].a | a [ft] 

DA,- | d [Aj] aj | caseaas [y] of {d r ; •A / • 
a = & | \o\n a=b ij | injdoma | injrngaft | injtcori; a 
convaat [~Pi/jci] ... [~P,-/jc;]A 
■ | (* : A)A | [x : A] A 



} 



■ I a a,- | |a| a, 
v|[a = fe] 



values 



* | x | rec/ : A.v 
(x:A) ->■ B | Ax : A.a 
[x:A] -»• B | A[x:A].a 
DA~i\ d[Ai]Vi 

a = b | join a=fe /j | injdoma: | injrngaft | injtcon,- a 
convvat[~Pi/xi] ... [~P ; -/x;]A 



Figure 1: Syntax of the annotated language 
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expressions m,n,M,N ::= * | x | rec/.u | abort 

(x : M) N \ Xx.m \ mn 
[x:M] ->■ N | X[].m | m[] 



DM, | (im; | casenof {djXij =^ m/' €l "*} 
m = n\ join 

telescopes E ::= • | (x:M)S | [x:M]S 

expression lists Wj ::= ■ \ m rni \ [] fnj 

values u ::= * | x | rec/.u 

| (x:M) ^ N \ Xx.m 
| [x:M] ->■ AT | X[].m 

DM; I 6?W; 

m = « | join 

evaluation contexts <f ::= • | •m \ u» | • [] | diffmj | case • of {djxjj =^ my} 



SC.APPBETA — - -= — : SC_APPREC 



(Xx.m) u -w cbv [u/x]m ' (rec/.u) u 2 ^ c bv ([rec/.u/^wi) u 2 



SC_IAPPBETA — — ; -= — — SC_IAPPREC 



(A[].m)[] ~* cbv m (rec/.u)[] ~^cbv ([rec/.u//]Mi)[] 



case (d t m) of { djXy m/' €l "* } ~> c b v [ui/xn]mi 



-SC_CASEBETA 



m -^ C bv n 

rSCXTX — — = ■ SC_ABORT 



<§ [m] —>cbv &[n] <§ [abort] ~> c bv abort 



Figure 2: Syntax and operational semantics of the unannotated language 
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In order to study computational irrelevance and erasure, we define a separate language of unan- 
notated expressions ranged over by metavariables m,M. The unannotated language captures runtime 
behavior; its definition is similar to the annotated language but with computationally irrelevant subex- 
pressions (e.g. type annotations) removed. This is the language for which we define the operational 
semantics (the step relation ^ c t> v in figure [2]). The annotated and unannotated languages are related by 
an erasure operation | • |, which takes an expression a and produces an unannotated expression \a\ by 
deleting all the computationally irrelevant parts (figure[4]). To show type safety we define an unannotated 
typing relation H\- m:M and prove preservation and progress theorems for unannotated terms. 

The relation ~-> c bv models runtime evaluation. However, in the specification of the type system we use 
a more liberal notion of parallel reduction, denoted ~~» p . The difference is that ~-* p allows reducing under 
binders, e.g. {Xx.l + 1) ~~» p (Jtac.2) even though (Xx.l + 1) is already a CBV value. The main reason for 
introducing ~» p in addition to -^ c bv is for the metatheory: in order to characterize when two expressions 



are provably equal (lemma 13 1 we need a notion of reduction that satisfies the substitution properties in 
section 3.2 and we defined ~-* p accordingly. But because ~-* p allows strictly more reductions than ^ c bv> 
defining the type system in terms of ~~» p lets the programmer write more programs. Since the type safety 
proof does not become harder, we pick the more expressive type system. 
In summary, we use the following judgments: 

r h a : A Typing of annotated expressions 

H\- m: M Typing of unannotated expressions 

m ~>cbv m ' (Runtime, deterministic CBV) evaluation 

m^ p m! (Typec necking-time, nondeterministic) parallel reduction 

Nontermination and Error Before moving on to the more novel parts of the language we mention how 
recursive definitions and error terms are formalized. Recursive definitions are made using the reef : A.a 
form, with the typing rule 

F,f:Ahv:A r h A : * 
A is (x:Ai) — > A 2 or [x:A\\ — > A 2 
T h reef : A.v : A 



-T_REC 



With this rule the body of a well-typed rec-expression is always a value, but we leave it a general expres- 
sion a in the syntax so that substitution [a/x]b is always defined. For simplicity the rule restricts A so that 
a rec can only have a function type, disallowing (for example) recursive types or pairs of mutually recur- 
sive functions. A typical use of the form will look like reef : (x:A) — > B.Xx : A.b. Rec-expressions are 
values, and a rec-expression in an evaluation context steps by the rule (rec/.u) u 2 ^cbv ([ rec /- u //] M i) u 2- 
This maintains the invariant that CBV evaluation only substitutes values for variables. 

In addition to nonterminating expressions, we include explicit error terms abort/i, which can be given 
any well-formed type. 

ThA :* 

■ T_ABORT 

Tl- abort A : A 

An abort expression propagates past any evaluation context by the rule S [abort] ^ c bv abort. This is a 
standard treatment of errors. General recursion already lets us give a looping expression any type in any 
context, so it is not surprising that this is type safe. However, note that the stepping rule for abort could 
be considered an extremely simple control effect. We will see that this is already enough to influence the 
language design. 
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m ~» p trl n n' 

SP.REFL — -SP_ABS — SP_APP 

m ~» p m Ax.m ~» p Ax.m 



— r — SP_APPBETA - rf-^ SP_APPREC 

(Ax.m) u [u /x\m (rec/.u) 112 ^ P (|rec/.u//jMj) u 2 



Figure 3: Parallel reduction ~» p (Excerpt). 



2.1 CBV Program Equivalence meets the Application rule 

Adding more effects to a dependently typed language requires being more restrictive about what expres- 
sions the type system equates. Pure, strongly normalizing languages can allow arbitrary j8 -reductions 
when comparing types, for example reducing (Ax.m) n either to [n/x]m or by reducing n. This works 
because any order of evaluation gives the same answer. In our language that is not the case, e.g. 
(Ajc.3) abort evaluates to abort under CBV but to 3 under CBN. We can not have both equations 
((Ax. 3) abort) = abort and ((Ax.3) abort) = 3 at the same time, since by transitivity all terms would be 
equal. Our type system must commit to a particular order of evaluation. 

Therefore, as in previous work [13]], our type system uses a notion of equality that respects CBV 
contextual equivalence. Two terms can by proven equal if they have a common reduct under CBV 
parallel reduction ~» p . This relation is similar to -^ c bv, except that it permits evaluation under binders 
and subexpressions can be evaluated in parallel. The rules for A -abstractions and applications are shown 
in figure [3] (the remaining rules are in the appendix, section A.4 1. In particular, the typechecker can only 



carry out a /3 -reduction of an application or case expression if the argument or scrutinee is a value. Note, 
however, that values include variables. Treating variables as values is safe due to the CBV semantics, 
and it is crucial when reasoning about open terms. For example, to typecheck the usual append function 
we want Vec Nat (O+Jt) and Vec Nat x to be equal types. 

The possibility that expressions may have effects restricts the application rule of a dependent type 
system. The typical rule for typing applications in pure languages is 



rha: (x:A) -> B 
Vrb-.A 
T\-ab:[b/x]B 



However, this rule does not work if b may have effects, because then the type [b/x]B may not be well- 
formed. Although we know by regularity (lemma [2]) that (x:A) — > B is well-formed, the derivation of 
r h (x:A) — > B : ★ may involve reductions, and substituting a non-value b for x may block a j6-reduction 
that used to have x as an argument. Intuitively this makes sense: under CBV-semantics, a is really called 
on the value of b, so the type B should be able to assume that x is an (effect- free) value. Our fix is to add 
a premise that the result type is well-formed. This additional premise is exactly what is required to prove 
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type safety. 



rhfl : (x:A) B 

Fhb:A 

Th [b/x]B:* 

_ : T_APP 

rhab:[b/x]B 

This rule is simple, yet expressive. Previous work ll29l[T2ll27ll uses a more restrictive typing for applica- 
tions, splitting it into two rules: one which permits only value dependency, and requires the argument to 
be a value, and one which allows an application to an arbitrary argument when there is no dependency. 
Because our annotated type system satisfies substitution of values, both of these rules are special 



cases of our rule above (proofs are in appendix B.7 1: 



Lemma 1 (Substitution for the annotated language). If T\,x\ : Ai,T2 \- a : A, then T\, \y\/x\]T2 h 
[v\/x\]a : [vi/xi]A. 

Lemma 2 (Regularity for the annotated language). IfT h a : A, then Y \- A : 
Lemma 3. The following rules are admissible. 



rha: (x:A) 
Thv:A 



B 



Fhb 



B 



Thav: [v/x]B 



-APP_VAL 



F\-ab:B 



-APP_NONDEP 



2.2 Equality and irrelevant type conversions 

One crucial point in the design of a dependently typed language is the elimination form for propositional 
equality, conversion, [j] Given an expression F h a : A and a proof r h b : (A = A'), we should be able to 
convert the type of a to A'. We write this operation as convaat~fr. 

In most languages, the proof b in such a conversion affects the operational semantics of the expres- 
sion; we say that it is computationally relevant. For example, in Coq the operational behavior of conv 
is to first evaluate b until it reaches refLeq, the only constructor of the equality type, and then step by 
convaat~refl_eq a. 

However, relevance can get in the way of reasoning about programs. Equations involving conv 
such as (convaat~&) = a are not easily provable in Coq unless b is refLeq. Indeed, because Coq's 
built-in equality is homogeneous, such equalities are often difficult even to state. This issue can be a 
practical problem when reasoning about programs operating on indexed data. One workaround is to 
assert additional axioms about equality and conversion, such as Streicher's Axiom K [24j|. The situation 
is frustrating because the computationally relevant behavior of conversion does not actually correspond 
to the compiled code. Coq's extraction mechanism will erase b and turn convaat~& into just a. But the 
Coq typechecker does not know about extraction. 

Our language integrates extraction into the type-system, similarly to ICC* |7 ]. Specifically, we define 
an erasure function | • | which takes an annotated expression a and produces an unannotated expression 
m = \a\. The definition of | • | is given in Figure [4] In most cases it just traverses a, but it erases type 



annotations from abstractions, it deletes irrelevant arguments (see section [23| ), and it completely deletes 
conversions leaving just the subject of the cast. 



1 Some authors reserve the word "conversion" for definitional equality. Our type system does not have a definitional equality 
judgment, so we hope our use of the word does not cause confusion. 
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*|=* \x\ =x | fee/ : A.v\ = rec/.u 

aborts | = abort 

(x:A) — > B\ = (x: \A\) — > \B\ \Xx : A.a\ = Xx.\a\ \ab\ = \a\\b\ 

[x:A] B\ = [x:\A\] |B| \X[x : A].a\ = A[].|a| |fl[*]| = HQ 

DAi\=D\Ai\ \d \Ai\ al\ =d\aj\ 

-j€l..k-., | | ,,73 \T—\i el -- k - 



caseaas[y]of {djAj =4> bj " }| = case|a|of {djxlj => \bj\ " } 

where Wu are the relevant variables of Ay 
a = b\ = (\a\ = \b\) \}o\n a=b ij\ = |injdoma| = |injrngaZ7| = | injtcon,- a\ = join 

convaat [~Pi/xi] ■■■ [~P ; -/x;]A| = \a\ 

• I = • \a al\ = \a\ \ [<A «7| = [] \al\ 



Figure 4: The erasure function | • | 

The unannotated system is used to determine when expressions are equal. 

\a\ ~-*p n \b\ ~-** n 
T\- a = b : * 

-JOIN_NO_ANNOT 



r h join :a = b 

The rule says that the term join is a proof of an equality a = ft if the erasures of the expressions a and 
& parallel-reduce to a common reduct. Therefore, when reasoning about a program we can completely 
ignore the parts of it that will not remain at runtime. (The rule presented above is somewhat simplified 



from our actual system — it is type safe, but as we discuss in section 2.6 it needs additional annotations 
to make type checking algorithmic.) 

Erasing conversions requires a corresponding restriction on the conv typing rule. As we noted before, 
conversion must evaluate equality proofs strictly in order to not be fooled by infinite loops, but if the 
proofs are erased there is nothing left at runtime to evaluate. The fix is to restrict the proof term to be a 
syntactic value: 

Tr-a:A F\- v :A=B 

FhB:* 

■ VCONV 

r h convaat~v : B 

(We will discuss the third premise r h B : * in section [24]). In the case where the proof is a variable 
(for instance, the equalities that come out of a dependent pattern match), the value restriction is already 
satisfied. Otherwise (for example, when the proof is the application of a lemma) we can satisfy the 
requirement by rewriting (conv a at ~&) to (letx = b in conv a at ~x), making explicit the sequencing that 
Coq integrates into the evaluation rule. 

Most languages make conversion computationally relevant in order to ensure strong normalization for 
open terms. If conversion is irrelevant, then in a context containing the assumption Nat = (Nat — > Nat) 
it is possible to type the unannotated looping term (Xx.x x) (Xx.x x) since evaluation does not get stuck 
on the assumption. Of course, in our language expressions are not normalizing in the first place. 

Making conversions completely erased blurs the usual distinction between definitional and proposi- 
tional equality. Typically, definitional equality is a decidable comparison which is automatically applied 
everywhere, while propositional equality uses arbitrary proofs but has to be marked with an explicit 
elimination form. 
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There are two main reasons languages use a distinguished definitional equality in addition to the 
prepositional one, but neither of them applies to our language. First, if there exists a straightforward 
algorithm for testing definitional equality (e.g., just reduce both sides to normal form, as in PTSs |[6l), 
then it is convenient for the programmer to have it applied automatically. However, our language has 
non-terminating expressions, and we don't want the type checker to loop trying to normalize them. 

Second, languages where the use of prepositional equalities is computationally relevant and marked 
need automatic conversion for a technical reason in the preservation proof. As an application steps, 
m n -^cbv m n', its type changes from [n/x]N to [n' /x]N and has to be converted back to [n/x]N. Because 
the operational semantics does not introduce any explicit conversion into the term, this conversion needs 
to be automatic. However, in our unannotated language uses of prepositional equations are never marked, 
so we can use the prepositional equality at this point in the proof. 

2.3 Irrelevant arguments, and reasoning about indexed data 

Above, we discussed how conversions get erased. Our language also includes a more general feature 
where arguments to functions and data constructors can be marked as irrelevant so that they are erased 
as well. 

To motivate this feature, we consider vectors (i.e. length-indexed lists). Suppose we have defined the 
usual vector data type and append function, with types 

Vec (a:*) : Nat — » * where 
nil : Vec a 

cons : (n:Nat) — > Vec a n— >Vec a (S n) 

app : (nl n2 : Nat) — S- (a : *) -^Vec a nl -^Vec a n2 — S-Vec a (nl+n2) 
app nl n2 a xs ys = 
case xs of 
nil =>• ys 

(cons n x xs) =>cons a (n+n2) x (app n n2 a xs ys) 

Having defined this operation, we might wish to prove that the append operation is associative. This 
amounts to defining a recursive function of type 

app-assoc : (nl n2 n3:Nat) — > 

(vl : Vec a nl) -> (v2 : Vec a n2) -> (v3 : Vec a n3) -> 
(app a nl (n2+n3) vl (app a n2 n3 v2 v3)) 
= (app a (nl+n2) n3 (app a nl n2 vl v2) v3) 

If we proceed by pattern-matching on vl, then when vl = cons n x v we have to show, after reducing 
the RHS, that 

(cons a (n +(n2 +n3)) x (app a n (n2 +n3) v ( a PP a n 2 n3 v2 v3))) 

= (cons a ((n +n2) +n3) x (app a (n +n2) n3 (app a n n2 v v2) v3)) 

By a recursive call/induction hypothesis, we have that the tails of the vectors are equal, so we are almost 
done. . . except we also need to show 

n +(n2 +n3) = (n +n2) +n3 

which requires a separate lemma about associativity of addition. In other words, when reasoning about 
indexed data, we are also forced to reason about their indices. In this case it is particularly frustrating 
because these indices are completely determined by the shape of the data — a Sufficiently Smart Compiler 
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would not even need to keep them around at runtime |8]. Unfortunately, nobody told our typechecker 
that. 

The solution is to make the length argument to cons an irrelevant argument. We change the defini- 
tion of Vec to syntactically indicate that n is irrelevant by surrounding it with square brackets. 

data Vec' (a:*) : Nat — > * where 
nil' : Vec' a 

cons' : [n:Nat] — > a — >Vec' a n— >Vec' a (S n) 

Irrelevant constructor arguments are not represented in memory at run-time, and equations between ir- 
relevant arguments are trivially true since our T_J0IN rule is stated using erasure. 

The basic building block of irrelevance is irrelevant function types [x:M] — > N, which are inhabited 
by irrelevant A -abstractions X[x : A].b and eliminated by irrelevant applications a [b\. The introduction 
rule for irrelevant As is similar to the rule for normal As, with one restriction: 

T,x:A\-b:B 

x ^FV(H) 
— = = = T_IABS 

YhX[x:A].b: [x:A] -> B 

The free variable condition ensures that the argument x is not used at runtime, since it does not remain in 
the erasure of the body b. So x can only appear in irrelevant positions in b, such as type annotations and 
proofs for conversions. On the other hand, x is available at type-checking time, so it can occur freely in 
the type B. 

Since the bound variable is not used at runtime, we can erase it, leaving only a placeholder for the 
abstraction or application: \X[x : A].a\ goes to A[].|a| and \a [b]\ goes to \a\ []. As a result, the term b is 
not present in memory and does not get in the way of equational reasoning. 

The reason we leave placeholders is to ensure that syntactic values get erased to syntactic values. 
Since we make conversion irrelevant this invariant is needed for type-safety [23]. For example, using a 
hypothetical equality we can type the term 

A[p : Bool = Nat].l + convtrueat~/? : \p:Boo\ = Nat] -> Nat. 

In our language this term erases to the value A[].l +true. On the other hand, if it erased to the stuck 
expression 1 + true then progress would fail. 

Irrelevant arguments are very useful in dependently typed programming. In addition to datatype 
indices, they can be used for type arguments of polymorphic functions (we could make the argument a 
of the app function irrelevant), and for proofs of preconditions (we could make the argument p of the 
saf ediv function in section [TTT] irrelevant) . 

Value restriction The treatment of erasure as discussed so far is closely inspired by ICC* Q and 
EPTS [17], while a related system is described by Abel [ 1 ] and implemented in recent versions of Agda. 

However, the presence of nontermination adds a twist because normal and irrelevant arguments have 
different evaluation behavior. In a CBV language, normal arguments are evaluated to values, but irrel- 
evant arguments just get erased. So similarly to erased conversions we need to be careful — while we 
argued earlier that (Xx : (Bool = Nat). a) (loop) will not lead to type error thanks to our CBV semantics, 
the same reasoning clearly does not work for (A[x : Bool = Nat]. a) [loop]. To maintain the invariant that 
variables always stand for values, we restrict the irrelevant application rule to only allow values in the 
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argument position: 

rhfl : [x:A] -»• 5 

Thv:A 

— — — — T_IAPP 

rhfl[v]: [v/x]B 

This restriction is necessary because allowing nonterminating expressions to be erased would break 
type safety for our language. The problem is not only infinite loops directly inhabiting bogus equalities 
like Bool = Nat (as above). The following counter-example shows that we can get in trouble even by 
erasing an abort of type Nat. First, note that since the reduction relation treats variables as values, 
(Ax.Bool) x ~> p Bool. So we have join : ((Ax : Nat. Bool) x = (Ax : Nat.Nat) x) = (Bool = Nat). Then 
the following term typechecks: 

A[x: Nat] .A/? : ((Ax: Nat. Bool) x) = ({Xx: Nat.Nat) x).conv/?at~j°in 

: [x:Nat] -»• (p : (Ax : Nat.Bool) x = (Ax : Nat.Nat) x) -»• (Bool = Nat) 

On the other hand, by our reduction rule for error terms, (Ax. Bool) abort ~> p abort, so 

join : ((Ax : Nat.Bool) aborts) = ((Ax : Nat.Nat) aborts)- 

So if we allowed abortNat to be given as an irrelevant argument, then we could write a terminating proof 
of Bool = Nat. Note that all the equality proofs involved are just join, so this example does not depend 
on conversions being computationally irrelevant. This illustrates a general issue when combining effects 
and irrelevance. 

The need for termination checking The value restriction is a severe limitation on the practical use of 
irrelevant arguments. For example, even if we make the length argument to cons ' irrelevant, we cannot 
make the length arguments to app irrelevant. The problem is that in the recursive case we would want to 
return 

cons' a [n+n2] x' (app a [n] xs ' [n2] ys) 

but n+n2 is not a value. To make the function typecheck we must work around the restriction by com- 
puting the value of the sum at runtime. A first attempt would look like 

app : (nl n2 : Nat) ->• (a : *) -^Vec' nl a^Vec' n2 a^Vec' (nl+n2) a 
app nl n2 a xs ys = 
case xs of 
nil' ^ys 

(cons' [n] x xs) =^let m =nl-l+n2 in 

cons' a [m] x (app (nl-1) n2 a xs ys) 

This carries out the addition at runtime, so the application of cons' is accepted. But the program still 
does not typecheck, due to the mismatch between m + 1 and n\ + ni. To make it check, we need to insert 
type conversions. Even worse, the conversions rely on the fact that n\ — 1 +«2 + 1 = "l +«2- The proof 
of this uses induction on t%2, i.e. a call to a recursive function, so the proof also can not be erased and 
has to be evaluated at runtime. The rewritten app function is more complicated, and because of the proof 
even asymptotically slower, which is quite unsatisfying. 

However, to ensure type safety we believe it is enough to ensure that erased expressions have normal 
forms. In this paper we use a syntactic value check as the very simplest example of a termination analysis. 
For a full language, we would mark certain expressions as belonging to a terminating sublanguage (with, 
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perhaps, the full power of Type Theory available for termination proofs). To allow the desired definition 
of app the termination analysis only has to prove that addition terminates, which is not hard. 

Value-restricted irrelevance already has uses: for example, except for type-level computation all 
types are values, so we could compile ML into our language erasing all types. But to support precisely- 
typed programs without a performance penalty it is essential to also be able to erase proofs, and as 
we demonstrated above this is not possible without some form of termination analysis. Therefore, we 
consider this language as only a step towards a practical design. 

Datatypes In addition to irrelevant A -abstractions we also allow irrelevant arguments in data types, 
like Vec ' . Datatype declarations have the form 

ie\..j- 



data DA + where { d t : A,- -> DA+ } 

The rules for datatypes in dependently-typed languages often look intimidating. We tried to make ours 
as simple as we could. First, to reduce clutter we write the rules using telescope notation. Metavariables 
A range over lists of relevance- annotated variable declarations like (x : A)\y : B](z '■ C); also known as 
telescopes, while overlined metavariables dj range over lists of terms. Metavariables A + range over tele- 
scopes that have only relevant declarations. Depending on where in an expression they occur, telescope 
metavariables stand in for either declarations or lists of variables, according to the following scheme: if 
A is (x : A) [y : B] (z: C) and aj is a [b] c, then. . . 

. . . this: is shorthand for this: 

a\ A a\ x \y] z 

A^Ai (jc:A)-> Ey:fl]-> (z:C)->Ai 
[ai/A}a\ [a/x}[b/y\[c/z]a\ 
T,A r,x:A,y.B,z:C 

Tho7:A r^a-.AAThb: [a / x]B AT h c : [b/y][a/x]C 
We also simplify the rules by having parameters but not indices. Each datatype has a list of param- 
eters A, and these are instantiated uniformly (i.e. the type of each data constructor dj ends with DA + , 
the type constructor D applied to a list of variables). This restriction does not limit expressivity, because 
we can elaborate non-uniform indexes into a combination of parameters and equality proofs (this is how 
Haskell GADTs are elaborated into GHC Core (261). For example, the declaration of Vec ' above can be 
reformulated without indices as 

data Vec' (a:*) (n:Nat) where 
nil' : [p:n=0] — >Vec' a n 

cons ' : [m:Nat] — > [p:n= S m] — > a — > Vec ' a m — > Vec ' a n 



To make the statement of the canonical forms lemma simpler (see lemma 14 below) we require 
constructors to be fully applied, so they do not pollute the function space. In other words, d by itself is 
not a well-formed expression, it must be applied to a list of parameters and a list of arguments d [A,] dj. 

In the corresponding elimination form (the case expression case^as \y] of {fi?, A ; - a/ el "'}) the pro- 
grammer must write one branch <i, A, =>• a, for each constructor of the datatype D. The branch only 
introduces pattern variables for the constructor arguments, as the parameters are fixed throughout the 
case. However, the parameters are used to refine the context that the match is checked in: if T h b : D 5,, 
then for each case we check 

T, \Bi/A + }Ai,y : b = rf,Aj h a t : A 

The context also introduces an equality proof y which can by used (in irrelevant positions) to exploit the 
new information about which constructor matched. 
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So far, this is a fairly standard treatment of datatypes. However, we want to point out how irrelevant 
parameters and constructor arguments work. 

First, parameters to data constructors are always irrelevant, since they are completely fixed by the 
types. The erasure operation simply deletes them: \d [A,-] oj\ is d\aj\. On the other hand, it never makes 
sense for parameters to datatype constructors to be irrelevant. For example, if the parameters to Vec were 
made irrelevant, the join rule would validate Th join : (Vec [Nat] [1]) = (Vec [Bool] [2]), which would 
defeat the point of having the parameters in the first place. This is reflected in our syntax for datatypes, 
which requires that the list of parameters is a A + (i.e. contains no irrelevant declarations). In order to 
typecheck a datatype constructor, we look up the corresponding datatype declaration in the context and 
check that the provided parameters have the right type. 

data DA + where {<i; : A, — > DA+' eL; } € T 
rhI^:A+ 

= T_TCON 

ThDA, :* 

Finally, arguments to data constructors <i, can be marked as relevant or not in the telescope A,-, and 
this is automatically reflected in the typing rule for constructor application and erasure. For example, 
given the above declaration of Vec ' , the annotated expression 

cons' [Bool] [1] [0] [join] true (nil' [Bool] [0] [join]) 

is well-typed and erases to cons ' [] [] true (nil' []). However, making a constructor argument 
erased carries a corresponding restriction in the case statement: since the argument has no run-time 
representation it may only be used in irrelevant positions. For example, in a case branch 

cons' [m:Nat] [p:n=S m] (x:a) (xs:Vec' am) =4>. . .body. . . 

the code in the body can use x without restrictions but can only use m in irrelevant positions such as type 
annotations and conversions. With the original Vec type we could write a constant-time length function 
by projecting out m, but that is not possible with Vec ' . 



2.4 Very heterogenous equality 

The app-assoc example also illustrates a different problem with indexed data: the two sides of the equa- 
tion have different types (namely Vec a (nl+(n2+n3)) versus Vec a ((nl+n2)+n3)) — so, e.g., the 
usual equality in Coq does not even allow writing down the equation! We need some form of heteroge- 
nous equality. The most popular choice for this is JMeq |fl"5l. which allows you to state any equality, 
but only use them if both sides have (definitionally) the same type. Massaging goals into a form where 
the equalities are usable often requires certain tricks and idioms (see e.g. ifTUl . chapter 10). 

For this language, we wanted something simpler. Like JMeq, we allow stating any equation as long 
as the two sides are well-typed. Our formation rule for the equality type is 

Tha:A Thb:B 

-T_EQ 



rh a = b : * 

Unlike JMeq, however, conversion can use an equality even if the two sides have different types. This is 
similar to the way equality is handled in Guru l25l . although the details differ. 



We showed a simplified version (VCONV) of our conversion rule on page|120 we present the full rule 



(T_CONV) in section 2.6 We now build-up the full rule from the simplified rule, step-by-step, motivating 
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each addition along the way. First, in order to be able to change only parts of a type, we phrase the rule 
in terms of substituting into a template A. 



rh a:[Bi/x]A Fhv:Bi=B 2 
T h [B 2 /x]A : * 

rh convaat[~v/x]A : [B 2 /x]A 



CONV_SUBST 



For example, given a proof r h v : y = 0, we can convert the type Vec Nat (y +y) to Vec Nat (y + 0) 
using the template substitution Vec Nat (y + ~v). 

We need the premise F h [Z?2 /x]A : * for two reasons. First, since our equality is heterogenous, we do 
not know that B 2 is a type even if B\ is. It is possible to write a function that takes a proof of Nat = 3 as 
an argument (although it will never be possible to actually call it). But even if equality were homogenous 
we would still need the wellformedness premise for the same reason we need it in the application rule. 
If B\ is a value and B 2 is not, then [B 2 /x]A is not guaranteed to be well-formed. 

2.5 Multiple simultaneous conversions 

Next, to achieve the full potential of our flexible elimination rule we find it is not sufficient to eliminate 
one equality at a time. For a simple example, consider trying to prove/ x =f xf in the context 

/ : A -> B,f : A' -> B,x : A,x : A',p :f =f',q :x = x 

Note that there is no equation relating A and A'. Using one equality at a time, the only way to make 
progress is by transitivity, that is by trying to prove/ x =f x' and/x' =/' x'. However, the intermediate 
expression/ x' is not well-typed so the attempt fails. To make propositional equality a congruence with 
respect to application, we are led to a conversion rule that allows eliminating several equations at once. 

ri-vi:Ai=fli ... r\-v i :A i = B i 
rha: [Ai/x l ]...[A i /x i }A 
Th [B 1 /x 1 ]...[B i /x i ]A:* 



r h convaat [~vi/xi] ... [~v,/x,-]A : [Bi/xi] ... [5,-/x;]A 



CONV_MULTISUBST 



Of course, the above example is artificial: we don't really expect that a programmer would often want 
to prove equations between terms of unrelated types. A more practical motivation comes from proofs 
about indexed data like vectors, where A might be Vec a (n+(n2+n3) ) and A' be Vec a ((n+n2)+n3). 
In such an example, A and A' are indeed provably equal, but our n-ary conversion rule obviates the need 
to provide that proof. 

The fact that our conversion can use heterogenous equations also has a downside: we are unable 
to support certain type-directed equality rules. In particular, adding functional extensionality would be 
unsound. Extensionality implies (Ax : (1 = 0).l) = (Ax : (1 = 0).0) since the two functions agree on all 
arguments (vacuously). But our annotation-ignoring equality shows (Ax : (1 = 0).l) = (Ax : Nat.l), so 
by transitivity we would get (Ax : Nat.l) = (Ax : Nat.O), and from there to 1 = 0. 

2.6 Annotating equality and conversion 

Ultimately, the unannotated language is the most interesting artifact, since that is what actually gets 
executed. The point of defining an annotated language is to make it convenient to write down typings of 
unannotated terms. (We could consider the annotated terms as reified typing derivations). We designed 
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the annotated language by starting with the unannotated language and adding just enough annotations that 
a typechecker traversing an annotated term will always know what to do. For most language constructs 
this was straightforward, e.g. adding a type annotation to A -abstractions. The annotated programs get 
quite verbose, so for a full language more sophisticated methods like bidirectional type checking, local 
type inference, or unification-based inference would be helpful, but these techniques are beyond the 
scope of this paper. 

The last step is to understand how nontermination and irrelevance affect the final annotated conv and 
join rules, T_CONV and T JOIN below. The conv rule in the erased language, including rc-ary substitution, 
looks like 

H\- u\\M\=N\ ... H\-u i :M i =N i 
H\-m: [M l /x l ]...[M i /x l ]M 
Hh [Ni/x{\ ... [Ni/xi\M : ★ 



H\-m:[N l /xi]...[N i /x i ]M 



-ET_CONV 



To guide the typechecker, in addition to the annotated version of m we need to supply the (annotated ver- 
sions of) the proof values w; and the (annotated version of) the "template" type M that we are substituting 
into. A first attempt at a corresponding annotated rule would look like the CONV_MULTlSUBST rule we 
showed above. 

However, CONVJVIULTISUBST needs one more modification. In order to correspond exactly to the 
unannotated conv rule it should ignore expressions in irrelevant positions. For example, consider proving 
the equation/ [A] a =f [B] b, which erases to/[] \a\ =/[] \b\. The unannotated conv rule only requires 
a proof of \a\ = \b\, so in the annotated language we should not have to provide a proof involving A and 
B. Therefore, in the annotated rule we allow two kinds of evidence P: either a value v which is a proof 
of an equation, or just an annotation [a = b] stating how an irrelevant subexpression should be changed. 
We also need to specify the template that the substitution is applied to. As a matter of concrete syntax, 
we prefer writing the evidence Pj interleaved with the template, marking it with a tilde. So our final 
annotated rule looks like this: 

P :;= v | [a = b\ 

Vj. ((Pjisvj mdT h vj : Aj = Bj) or (Pj is [Aj = Bj] and*,- gFV(|A|))) 
rha: [A i /x l ]...[A i /x i ]A 
r\-[B l /x 1 ]...[B i /x i ]A:* 



rh convaatfr-Pj/xi] ... [~P//x,-]A : [Bi/xi] ... [Bi/xijA 



T_CONV 



For example, if a : Vec A x and y : x = 3, then conv a at Vec A ~y has type Vec A 3. 
Next, consider the equality introduction rule. In the unannotated language it is simply 



mi ^ p n m 2 ^ p n 
H h mi = mi '■ * 
H h join : nil =ni2 



ETJOIN 



This is very similar to what other dependent languages, such as PTSs, offer. In those languages, this 
rule may be implemented by evaluating both sides to normal forms and comparing. Unfortunately, in 
the presence of nontermination there is no similarly simple algorithm — the parallel reduction relation is 
nondeterministic, and since we are not guaranteed to hit a normal form we would have to search through 
all possible evaluation orders. 
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One possibility would be to write down the expression to be reduced, and tag sub-expressions of it 
with how many steps to take, perhaps marked with tildes. In our experiments with a prototype type- 
checker for our language, we have adopted a simpler scheme. The join rule only does deterministic CBV 
evaluation for at most a specified number of steps. So, our final annotated join rule looks like 

\a\ n \b\ W bv n 

r h a = b : * 

— T_JOIN 

r r \o\n a=h ij : a = b 

where i and j are integer literals. In the common case when both a and b quickly reach normal forms, the 
programmer can simply pick high numbers for the step counts, and in the concrete syntax we treat join 
as an abbreviation for join 100 100. When we want to prove equations between terms that are already 
values, we can use conv to change subterms of them. For example, to prove the equality Vec A (1 + 1) = 
Vec A 2 we write 

conv (join : Vec A 2 =Vec A 2) at (Vec A 2 =Vec A "(join : 1+1 =2)) 

Not every parallel reduction step can be reached this way, since substitution is capture-avoiding. For 
instance, with this choice of annotations we cannot show an equation like (Xx.(Xy.y) x) = (Xx.x). So 
far, we have not found this restriction limiting. 



3 Metatheory 

The main technical contribution of this paper is a proof of type safety for our language via standard 
preservation and progress theorems. The full proof can be found in the appendix. In this section, we 
highlight the most interesting parts of it. 

3.1 Annotated and unannotated type systems 

While the description so far has been in terms of a type system for annotated terms, we have also devel- 
oped a type system for the unannotated language, and it is the unannotated system that is important for 
the metatheoretical development. 

The unannotated typing judgment is of the form H h m : M, where the metavariable H ranges over 
unannotated typing environments (i.e., environments of assumptions x : M). Below we give an outline of 



the rules. The complete definition can be found in the appendix (section A.6 1. The two type systems were 
designed so that there are enough annotations to make typechecking the annotated language decidable, 
and to make erasure into the unannotated system preserve well-typedness: 

Lemma 4 (Decidability of type checking). There is an algorithm which given T and a computes the 
unique A such that T h a : A, or reports that there is no such A. 

Lemma 5 (Annotation soundness). IfY h a : A then \T\ h \a\ : |A| . 

In practice, the unannotated rules simply mirror the annotated rules, except that all the terms in them 
have gone through erasure. As an example, compare the annotated and unannotated versions of the IABS 
rule: 

F,x:Ahb:B H,x:Mhn:N 
x 4 FVflfel) x 4 FV(n) 

-T_IABS — — — ; ET.IABS 



rh X[x:A].b : [x:A] -> B " H h X[].n : [x:M] -> N 
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Since our operational semantics is defined for unannotated terms, the preservation and progress the- 
orems will be also stated in terms of unannotated terms. One could ask whether it would be possible 
to define an operational semantics for the annotated terms and then prove preservation for the annotated 
language. The main complication of doing that is that as terms steps extra type conversions must be 
added, which would complicate the step relation. 

3.2 Properties of parallel reduction 

The key intuition in our treatment of equality is that, in an empty context, propositional equality coincides 
with joinability under parallel reduction. As a result, we will need some basic lemmas about parallel 
reduction throughout the proof. These are familiar from, e.g., the metatheory of PTSs, with the slight 
difference that the usual substitution lemma is replaced with two special cases because we work with 
CBV reduction. 

Lemma 6 (Substitution of ~> p ). IfN ~> p N', then [N/x]M ~> p [N'/x]M. 

Lemma 7 (Substitution into ~~> p ). If u ~> p u' and m ~» p m', then [u/x\m ~~> p [u'/x]m'. 

Lemma 8 (Confluence of ~~> p ). Ifm ni\ and m mi, then there exists some m' such that m\ ~~>* m 1 
and m,2 m'. 

Definition 9 (Joinability). We write m\ y ni2 if there exists some n such that m\ n and m2 n. 

Using the above lemmas it is easy to see that y is an equivalence relation, and that mi y m2 implies 

[m\/x\M y [m 2 /x]M. 

3.3 Preservation 

For the preservation proof we need the usual structural properties: weakening and substitution. Weak- 
ening is standard, but somewhat unusually substitution is restricted to substituting values u into the 
judgment, not arbitrary terms. This is because our equality is CBV, so substituting a non-value could 
block reductions and cause types to no longer be equal. 

Lemma 10 (Substitution). IfH\,xy : Mi, #2 \-m:M and Hi h u\ : M\, then Hi, [ui/xi]H 2 h [ui/xi]m : 
[ui/xi]M. 

Preservation also needs an inversion lemmas for As, irrelevant As, rec, and data constructors. They 
are similar, and we show the one for A -abstractions as an example. 

Lemma 11 (Inversion for As). IfH h Xx.n : M, then there exists mi, M\, N\, such that H h mi : M = (x: 
Mi) ->■ Ni andH,x:Mi \~n:N\. 

Notice that this is weaker statement than in a language with computationally relevant conversion. For 
example, in a PTS we would have that M is j3 -convertible to the type (x:M\) — > Ni, not just provably 
equal to it. But in our language, if the context contained the equality (Nat — > Nat) = Nat, then we 
could show H h Ax.x : Nat using a (completely erased) conversion. As we will see, we need to add extra 
injectivity rules to the type system to compensate. 

Now we are ready to prove the preservation theorem. For type safety we are only interested in 
preservation for ~> c bv, but it is convenient to generalize the theorem to —> p . 

Theorem 12 (Preservation). 

IfH h m:M and m ~~> p m', then H h m' : M. 
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H h u\ : Drij = Dn/ 



H\-m: (x:Mi)-*Nt = (x:M 2 ) N 2 



H h join : = n' k 



ETJNJTCON 



H\-\o\n :Mi=M 2 



ET_INJDOM 



Hhui: (x:M)^Ni = (x:M)^N 2 
H\- u:M 



//hjoin : [u/x]N\ = [u/x]N 2 



ET.INJRNG 



Figure 5: Injectivity rules (the two rules for [jt:Afi] — > Ni are similar and not shown) 

The proof is mostly straightforward by an induction on the typing derivation. There are some wrin- 
kles, all of which can be seen by considering some cases for applications. The typing rule looks like 



First consider the case when m n steps by congruence, m n ~-* p m n' . Directly by IH we get that 
H\- n' : M, but because of our CBV-style application rule we also need to establish H h [n'/x]N : *. 
But by substitution of ~» p we know that [n/x]N ~> p [n'/x]N, so this also follows by IH (this is why we 
generalize the theorem to ~» p ). 

This showed H h mn' : [n' /x]N, but we needed H\- mn' : [n/x]N. Since [n/x]N ~^* p [n'/x]N we have 
H h join : [n'/x]N = [n/x]N, and we can conclude using the conv rule. This illustrates how fully erased 
conversions generalize the j3 -equivalence rule familiar from PTSs. 

Second, consider the case when an application steps by /3 -reduction, (Ax.rao) u [u/x]mo, and we 
need to show H h [u/x]mo ■ [u/x]N. The inversion lemma for Xx.rriQ gives H,x : M\ h mo : N\ for some 
H\- join : (x:M) — > N = (x:M\) — > N\. Now we need to convert the type of u to H\- u : Mi, so that we can 
apply substitution and get H h [u/x]niQ : [u/x]N\, and finally convert back to [u/x]N. To do this we need 
to decompose the equality proof from the inversion lemma into proofs of M = M\ and [u/x]N\ = [u/x]N. 
We run into the same issue in the cases for irrelevant application and pattern matching on datatypes. So 
we add a set of injectivity rules to our type system to make these cases go through (figure[5]>. 

3.4 Progress 

As is common in languages with dependent pattern matching, when proving progress we have to worry 
about "bad" equations. Specifically, this shows up in the canonical forms lemma. We want to say that 
if a closed value has a function type, then it is actually a function. However, what if we had a proof of 
Nat = (Nat — > Nat)? To rule that out, we start by proving a lemma characterizing when two expressions 
can be propositionally equal. From now on, Ho denotes a context which is empty except that it may 
contain datatype declarations. 

Lemma 13 (Soundness of equality). If Ho h u : M and M Y {m\ = n\), then m\ Y n\. 

The proof is by induction on Ho \~ u: M. It is not hard, but it is worth describing briefly. To rule 
out rules like A-abstraction, we need to know that it is never the case that (x:M) — > N Y ( m i = 



Hhm:(x:M)^N 

Hhn:M 

HY- {n/x]N:* 



H\~mn: [n/x]N 



ET_APP 
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which follows because ~-* p preserves the top-level constructor of a term. To handle the injectivity rules, 
we need to know that Y is injective in the sense that (x:M\) — > N\ Y (x'.Ma) — > N2 implies M\ Y M2, 
again this follows by reasoning about ~> p . Finally, consider the conversion rule. The case looks like 

Hj) h «i : Mi = N\ ... H D h m : M t = N, 
H D \-u: [Mi/xi]...[Mi/xi]M 
H D h[Ni/xi]...[Ni/xi]M:* 

: = ; : F — ET_CONV 

H D \-u:[N 1 /x l ]...[N i /x i ]M 

We have as an assumption that [N\/x{\ .. [Nj/xi\M Y (mi = n\), and the result would follow from the IH 
for u if we knew that [Mi/xi] ... [M,/x,]M Y (m\ = n\). But by the IHs for u t we know that Nt Y Mf, so 
this follows by substitution and transitivity of Y- 

With the soundness lemma in hand, canonical forms and progress follow straightforwardly. 

Lemma 14 (Canonical forms). Suppose Ho h u : M. 

1. IfM Y (x:M\) — > M2, then u is either Xx.u\ or rec/.u. 

2. IfM Y [x:Mi] — > M%, then u is either X[].u\ or rec/.u. 

3. IfM Y D Mi then u is duj, where data DE + where {di : E,- — > D E + ' el "''} G Ho andd is one of the 
d. 

Theorem 15 (Progress). If Ho \~ m: M, then either m is a value, m is abort, or m -^ c t> v m' for some m'. 



4 Related Work 

Dependent types with nontermination While there are many examples of languages that combine 
nontermination with dependent or indexed types, most take care to ensure that nonterminating expres- 
sions can not occur inside types. They do this either by making the type language completely separate 
from the expression language (e.g. DML ED, ATS El, £2mega ED, Haskell with GADTs 021), or 
by restricting dependent application to values or "pure" expressions (e.g. DML |[T4l . F* B71 . Aura |[T2l . 
and HI). 

In our language, types and expressions are unified and types can even be computed by general re- 
cursive functions. In this area of the design space, the most comparable languages are Cayenne El, 
Cardelli's Type:Type language and IT£ |2]. However, none of them have the particular combination 
of features that we discuss in this paper, i.e. irrelevance, CBV, and a built-in propositional equality. 

A~ lfT3l is a CBV dependently typed language with nontermination, which used CBV-respecting par- 
allel reduction as one possible definitional equivalence. It proposed an application rule which is more 
expressive than just value-dependency, but not as simple as the one in this paper. X~ is not as expres- 
sive as our language (no polymorphism, propositional equality, or Type-in-Type), and has no notion of 
irrelevance. 

Irrelevance We already mentioned ICC* [7], EPTS 021, and Abel's system [1]. One of the key 
differences between the systems is whether the variable x in an irrelevant arrow type [x : A] — > B is 
allowed to occur freely in B ( "Miguel lfl6l -style irrelevance", our choice) or only in irrelevant positions 
in B ("Pfenning[20]-style", see also [21]). Agda implements the latter because it interacts better with 
type-directed equality [T], whereas our equality is not type-directed. 
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Equality The usual equality type in Coq and Agda's standard libraries is homogenous and has a com- 
putationally relevant conversion rule. These languages also provide the heterogenous JMeq lfT5l . which 
we discussed above. 

Extensional Type Theory, e.g. Nuprl ifTTl . is similar to our language in that conversion is compu- 
tationally irrelevant and completely erased. ETT terms are similar to our unannotated terms, while our 
annotated terms correspond to ETT typing derivations. On the other hand, the equational theory of ETT 
is different from our language, e.g. it can prove extensionality while our equality cannot. 

Observational Type Theory [3] also proves (convaat~ft) = a, but in a more sophisticated way than 
by erasing the conversion. Instead it provides a set of axioms and ensures that those axioms can never 
block reduction. It is inherently type-directed, which means that it validates extensionality but cannot 
make use of equations between expressions of genuinely different types. 

Guru [25], like our language, can eliminate equalities where the two sides have different types, and 
equalities are proved by joinability without any type-directed rules. However, unlike our language the 
equality formation rule does not require that the equated expressions are even well-typed. This can be 
annoying in practice, because simple programmer errors are not caught by the type system. Guru does 
not have our n-ary conv rule. 

GHC Core |[26l l28l is similar to our language in not having a separate notion of definitional and 
propositional equality. Instead, all type equivalences — which are implicit in Haskell source — must be 
justified by the typechecker by explicit proof terms. As in our language the presence of nontermination 
means that proof terms must by evaluated at runtime, but there is no notion of irrelevance. 

5 Conclusions and Future Work 

In this paper, we combined computational irrelevance and nontermination in a dependently typed 
programming language. 

In defining the language, we made concrete choices about evaluation order and treatment of con- 
version. Our evaluation order is CBV, and this is reflected in the equations that the language can prove 
(including an inherently CBV rule for error expressions). An effectful language needs a restriction on 
the application rule, and we propose a particularly simple yet expressive one. 

Our conversion rule has a novel combination of features: the equality proof is computationally ir- 
relevant, conversion can use equalities where the two sides have different types, and conversion can use 
multiple equalities at once. These features are all aimed at making reasoning about programs easier. 

We then proposed typing rules for irrelevant function and constructor arguments. We gave examples 
showing that in contrast to previous work in pure languages, irrelevant application must be restricted, 
and described a value-restricted version. 

In future work, we plan to integrate this design with the larger Trellys project. The Trellys lan- 
guage will be divided into two fragments: a "programmatic" fragment that will resemble the language 
presented here, and a "logical" fragment that will be restricted to ensure consistency. While designing 
an expressive and consistent logical fragment will involve substantial additional challenges, the present 
work has provided a solid foundation by identifying and solving many problems that arise from Trellys' 
previously unseen combination of features. 
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A Full Language Specification 

A.l Syntax 



tele, A 



teleplus, A + 



env, r 



decl 



exp, a, b, A, B 



(x : A) A 
[x:A]A 



(x : A)A+ 



r, decl 



x : A 



dataDA+where{^:A;^ DA+' eLj } 
dataDA+ 



★ 

x 

DAi_ 
d [A,-] at 
reef : A. a 
Ax : A. a 
A [x : A] .a 
a b 
a [b] 

(x:A) -»• B 
[x:A] -> B 

casea as [y] of { A ; - =>■ " } 

a = b 

P'\n a=b ij 

injdom a 

injrnga^ 

injtcon,- a 

convaat[~Pi/xi] ... [~P,-/jc,-]A 
a bortA 



telescope 

empty telescope 
relevant binding 
irrelevant binding 

(relevant) telescope 
empty telescope 
relevant binding 

typing environment 
empty 



typing env declaration 
variable 

datatype 

abstract datatype name 

annotated expressions 
type 
variable 
datatype 
data 

recursive definition 
A -abstraction 
irrelevant A -abstraction 
application 
implicit application 
function type 
irrelevant function type 

pattern matching 
equality proposition 
equality proof 
equality proof 
equality proof 
equality proof 
type conversion 
failure 
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v 

[a = b] 
x 

•k 

(x:A) -»• B 
[x:A] -> B 
a = b 

convvatf~.Pi/x!] ... [~Pi/xi]A 
jo< =6 / j 

d [Ai\ Vi 
Xx : A.a 
X[x :A].a 
reef : A.a 



a ai 
[a] ai 



V Vi 

[v]Vi 



(x : M)S 
[x : M]S 



(x : M)E+ 



Proofs used in conv rule 



Values 



list of expressions 
empty 

relevant expression 
irrelevant expression 

list of values 



unannotated telescope 
empty telescope 
relevant binding 
irrelevant binding 

unannotated (relevant) telescope 
empty telescope 
relevant binding 

typing environment 



H,edecl 
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edecl 



x:M 



data DE+ where { d t : S,- -> DE+' el " J } 
dataDS+ 



typing env declaration 
variable 

datatype 

abstract datatype name 



eenvD, Hu 



closed typing environment 



H, edeclD 



edeclD 



data DE+ where {d t : E; ->■ DE+' el " i } 



* 
x 

DMi 

drni 

rec/.u 

Xx.m 

A [].m 

m « 

m[] 

(x:M) -> /V 
[jc:M] -»• /V 

casercof {djxjj =4> m/ el " k } 

m = n 

join 

abort 



unannotated expressions 
type 
variable 
datatype 
data 

recursive definition 
A -abstraction 
irrelevant A -abstraction 
application 
irrelevant application 
function type 
irrelevant function type 

pattern matching 
equality proposition 
equality proof 
failure 



eval, u 



values 



x 
★ 

(x:M) -»• N 
[x:M] -»• /V 
m = n 
join 
Z)S; 
dui 
rec/.u 
Ax.m 
A H.m 
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eexplist, ntj, M,-, Ar- 



tist of expressions 



evallist, U[ 



m nij 

W m 



U Ui 

[} ul 



evalctx, <§ 



Evaluation contexts 



*m 



u* 



case • of {djXij =4> nij} 
dui»m~i 
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A.2 Erasure function 



The erasure function \a\ is defined by: 

* I 
x\ 

DAj\ 
d [A,-] aj| 
rec/ : A.v| 
Ax : A.a\ 
X[x:A].a\ 
a b\ 
a[b}\ 

(x:A) B\ 
[x:A] -»• fl| 
a = 6| 
join a=fe 01 
injdoma| 
injrnga£»| 
injtcon,- a | 

case a as [y] of {df/Ay 



convaat [~Pi/jci] ... [~Pj/jc,-]A| 
aborts | 



■-D\Ai\ 

- d\ai\ 

■ rec/.u 

- Ax.|a| 
= AQ.|a| 

■ M \b\ 

= HD 

:(x:|A|)^ |B| 
:[x:|A|]^ |B| 
: |a| = 
= join 
■- join 

■ join 
= join 

■ case \a\ of {djXl 



where xyy are the relevant variables of Ay 



a di\ 
[a] a~i\ 



\a\ 

abort 



\a\ \cij 

D H 



A.3 CBV evaluation 



(Ax.m) m -^>cbv [w/x]m 



SC_APPBETA 



(rec/.u) M 2 ~> c bv ([rec/.u//]«i) w 2 

-SC_IAPPBETA 



SC.APPREC 



(A[].m)[] -> cbv m 



(rec/.u) [] ~> cbv ([rec/.u//]wi)[] 



SC_IAPPREC 



k 

case (diUi) of { dyxyy my " } -w cbv [ui/xujmi 

— — = - SCLABORT 

6 [abort J ^ c bv abort 

m -w c bv n 



-SCXASEBETA 



S[m] ~> c bv &[n 



SC.CTX 
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A.4 Parallel reduction 



m n 



-SP-REFL 



rec/.u ~> p rec/.u 



SP_REC 



Xx.m Xx.m' 



SP_ABS 



(x:M) -^N^ p (x:M') -»• W 



N~> P N' 



SP_PI 



[x:M] A^-> p [x:M ; ] iV' 



SP_IPI 



m = n m' 



-SP_EQ 



m •Wp m 



-SP_APP 



(Xx.m) u ~-> p [u'/x]m' 



SP_APPBETA 



M2 ^p 11*2 



(rec/.u) w 2 -> p ([rec/.u//]"i) k' 2 



SP_APPREC 



-SP_IAPP 



(A[].m)[] ~> p m' 



SP_IAPPBETA 



(rec/.u)[]^ p ([rec/.u//] M 'i)D 



SP_IAPPREC 



vi. M; -wp m; 

DMi^pDWl 
Vi. m; ^p/nj 



SP.TCON 



SP.DCON 
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ca se m of { dj xy =>■ m/ e 1 "* } ~~> p ca se m' of { dj => nij J = } 



-SP_CASE 



V/. Ui ~» p u\ 
mi m'i 

-jel..k. 



SP.CASEBETA 



case (J/ m/) of { djXij => } ~~> p [w/'/jCi/JinJ 

— — = - SP.ABORT 

<s [abort] ~-> p abort 



ni\ n 

WI2 Y WJ2 



J JOIN 



A.5 Annotated type system 

Tha:A 



hr 



r h ★ : * 



T_TYPE 



T h b : D B, 
ThA:* 



-iel..l - 



data DA+ where { d t : A, ; ->• DA+ "jeT 

Vi. r,[5^/A+]Aj,y:fe = djA i l-ai:A 
Vi. {y}Udom-(Aj)#FV(|ai|) 



T_CASE 



rh case&as[y]of {d,A,- =>■ a ; - }:A 



x : A G T 

hr 

-pT — T_VAR 

Thx : A 

ThA:* T,x:AhB:* 
rh (jc:A) — > fi : * 

ThA:* r,x:Ah£:* 



-T_PI 



Th [x:A] -»• £:* 



-T_IPI 



data DA + where {J, : A, — >■ DA+' E '" J } G T 
ThA7:A+ 

ThDA7:* 

dataDA+ G T 

r h A7 : A+ 

= T_ABSTCON 

Th DA,:* 



-T_TCON 
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data DA + where {fif, : A, — >■ DA+' GL; } G T 
ThA7:A+ 

rhoj: [A,-/A]A,- 

F\-d k \Af\ai-.DAi 

T,x:Ahb:B 
rh Xx:A.b : (x:A) -> B 

T,x:Ahb:B 
* £FV(|fr|) 
Fh X[x:A].b: [x:A] -»• £ 



T_DCON 



T_ABS 



T_IABS 



T,/:Ahv:A r h A : * 
A is (x:Ai) — > A 2 or [x:Ai] — > A 2 
r h rec/ : A.v : A 

rhu : (x:A) -»• B 
Th& :A 
Th [b/x]B:* 



T_REC 



Thab: [b/x]B 



T_APP 



rha: [x:A] -»• B 

Thv:A 

— — — — T_I APP 

rha [v] : [v/x]B 

ThA :* 

T_ABORT 

Th abortA : A 

rha:A rh6:B 

T_EQ 

Th a = b : * 

|a| -4 V n W cbv n 
r h a = b : * 

■ ^ T - J0IN 

1 h J0in a=fo ij : a = b 

Vj. ((P,-isv; andrhv y :A; = B>r(P,is [A y = B 7 ] and*,- £ FV(|A|) )) 
Fha: [Ai/xi]...[Ai/xi]A 

r\-[Bi/xi]...[Bj/xi]A:* 

T h convaat [~Pi/jci] ... [~Pj/jCj]A : [Bi/xi] ... [B f /jc f ]A 

Th V! : ((x:A!) -> Bi) = ((x:A 2 ) -> B 2 ) 



T.CONV 



Th injdomvi : A\ = A 2 

rhvi : ((x:A) -»• Bj) = ((x:A) -»• B 2 ) Thv:A 
Th injrngvi v : [v/x]Bi = [v/x]B 2 

rhvi:([x:Ai]^B 1 ) = ([x:A 2 ]^B 2 ) 



T_INJDOM 



■TJNJRNG 



Th injdomvi : A\ =A 2 

rh vi : ([x:A] -»• Bi) = ([x:A] -»• B 2 ) Thv:A 
Th injrngvi v : [v/x]Bi = [v/x]B 2 



T.IINJDOM 



-T_IINJRNG 
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hr 



rh vi :DAi=DAi 
r h injtcon^- v\ :A/ C = A' k 

r is a well-formed environment 



-T_INJTCON 



-ENV_WF_EMPTY 



hT x £ dom (r) 
ThA :* 

hr,x:A 



-ENV_WF_VAR 



hT,A D dom (//) r,dataDA+,Ah A, ^DA+ :* 



■€l..y 



-ENV_WF_DTYPE 



h r, data D A+ where { dt : A, — >■ D A+ 
hT,A D 0dom(#) 



r h a; : A 



hT,dataDA+ 



ENV_WF_ABSDTYPE 



-TL.EMPTY 



Th • : • 

rhfl :A 
ThA :* 
r h a; : [a/*]A 
r h a a; : (i : A)A 

Tha:A 
ThA:* 
r h a; : [a/x]A 
r h [a] aj : [x : A]A 



TL_CONS 



TLJCONS 



A.6 Unannotated type system 

H\-m:M 



\-H 



H\-*:* 



-ET_TYPE 



H\-n:Dni 
H\-M:* 

data DS+ where { d t : S,- ->■ DE 
Vi. //, [^/S + ]S;,;y : n = d,E ; - h m, : M 
Vi. {y}Udom-(Sj)#FV(m/) 
x7 ; is dom + (S,) 

m,- } : M 



-ET_CASE 



H h case « of {J, X,, 



x:MeH 
\-H 

H\- x:M 



-ET_VAR 
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HhM:* H,x :M\-N:~k 

: ET_PI 

Hh(x:M) -> N:* 
H\- M :* H,x : M \- N : * 

-ET_IPI 



HY- [x:M] —> N :* 



H h DMi : -k 

dataDS + G H 

H l rW i :Z+ 

H h DM] '■ * 



data DE+ where {d t : E; -»• D E+' GW } e # 
HhM~i:E+ 

ET.TCON 



-ET_ABSTCON 



data DS+ where : S,- ->• D E+' el "' / } G // 

// h <4m; : DM,- 
H,x :M\- n:N 

ET_ABS 



ET_DCON 



HVXx.n: (x:M) -> iV 

H,x : M \- n : N 
x i FV(n) 



#h AQ.fi : [jc:Af] -»• iV 



ET_IABS 



H,f:M\-u:M 
HhM:-k 

Mis (x:Mi) ->■ M 2 or [x:Mi] -)• M 2 
/7h rec/.u : Af 

ffhm: {x:M)^N 
Hhn:M 
HY- {n/x]N:* 



ET_REC 



-ET_APP 



HV-mn: [n/x]N 

Hhm: [x:M] -»• AT 
H\-u:M 

■ = — — ET.IAPP 

Hhm[]: [u/x]N 

H>rM:* 

ET_ABORT 



H h abort : M 

HVm:M H\-n:N 
H\- m = n:-k 



-ET_EQ 



f/hm = /i:* 

-ETJOIN 



// h join :m = n 



Sjoberg et al. 



145 



H\- u\:M\=N\ ... Hhui:Mi = Ni 

H\-m: [M l /xi]...[M i /x l ]M 

Hh [N 1 /x 1 ]...[N i /x i ]M:* 

— - — ET_CONV 

H\-m:[N 1 /x 1 ]...[N i /x i ]M 

Hhui: (x:Mi) -> Ni = (x:M 2 ) N 2 

, ET.INJDOM 

H h join :M\=M 2 

Hhui : (x:M) N\ = (x:M) — >■ N 2 
H\- u:M 

■ — — — — ET_INJRNG 

//hjoin : [u/x\Ni = [u/x\N 2 

Hh Ul : [x-.Mi] Ni = [x:M 2 ] N 2 

//hjoin :M\ =M 2 

//h mi : [x:M] -> Ni = [x:M] -»• N 2 

H\- u:M 

-ET_IINJRNG 



ETJINJDOM 



//hjoin : [u/x]Ni = [u/x]N 2 
H\- u\\ Dnj = Drf/ 



//hjoin : ni c =n' k 



-ETJNJTCON 



h H H is a well-formed environment 



— EENV_WF_EMPTY 

h H x i dom (//) 
//hM:* 

— EENV_WF_VAR 



\-H,x:M 

h//,S 

D £ dom (//) 
Vi. £/,■ ^dom(//) 

Vi. //, data D E + , S h S,- — > D S + : * 

-^ri'el.j 



-EENV_WF_DTYPE 



h //, data £>E+ where { d t : S,- -»• DS+ " J } 
h//,E D £ dom(ZZ) 



h//,dataDE+ 



Hhfnr.E 



-EENV_WF_ABSDTYPE 



-ETL_EMPTY 



ETL.CONS 



Hh • : • 
H\-m:M 
H\-M:* 
H\-7n~i : [m/x]E 
H \- mJni : (x : M)E 

H\-u:M 

H\-M:* 

H\-Mj: \u/x]E 

— — : — ETL.ICONS 

// h [] : [x : M]E 
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B Proofs 

B.l Correctness of annotated system 

Lemma 16 (Decidability of type checking). There is an algorithm which given F and a computes the 
unique A such that T h a : A, or reports that there is no such A. 

Proof. The algorithm follows the structure of a — for each syntactic form we see that only one typing 
rule could apply, and that the premises of that rule are uniquely determined. □ 

Lemma 17 (Correctness of erasure). IfT \- a: A, then \Y\ h \a\ : \A\. 

Proof. Easy induction — each annotated rule corresponds directly to an unannotated rule where all terms 
have gone through erasure. □ 

B.2 Facts about parallel reduction 

Definition 18. The head constructor of an expression is defined as follows: 

• The head constructor of '* is *. 

• The head constructor of Nat is Nat. 

• The head constructor of (x : M) — > N is — K 

• The head constructor of[x:M] — > N is [] — K 

• The head constructor ofDMi is D. 

• The head constructor of dnTi is d. 

• The head constructor of a = b is =. 

• Other expressions do not have a head constructor. 

We write hd (M)for the partial function mapping M to its head constructor. 
Lemma 19. Ifm ~» p m' and hd (m) is defined, then hd (m) = hd (m'). 

Proof. By inspecting the definition of ^ p we see that it always preserves the head constructor of a 
term. □ 

Lemma 20. Ifm Y m', then m and m' do not have different head constructors. 

Proof. Expanding the definition of Y we know that m ~~** n and m' ~~** n for some n. If m and m' had 



(defined and) different head constructors, then by repeatedly applying Lemma 19 we would get that n 



had two different head constructors, which is impossible. □ 
Lemma 21 ( Injectivity of Y)- 

• If mi =n\ Y m 2= «2> then mi Y m 2 and n\ Y n%. 

• IfDM n Y DW i2 , then M n Y M i2 . 

• If(x:Mi) -> Ni Y (x:M 2 ) N 2 then M { y M 2 andN x Y ^2- 

• If[x:M\] ->• Ni Y [x;M 2 ] -»• A^2 fAenMi Y ^2 owiM Y 
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Proof. The lemma is proven in the same way for all the different types of expressions, so we only show 
the proof for (1). Expanding the definition of Y, we have that my = n\ -w* N and rti2 = ni N for some 
N. 



By lemma 20 we know that N has the shape n = m. So it suffices to prove that, for any n\,tn\, if 
n\ = m\ -w* n = m, then n\ ~-** n. This follows by an easy induction on the chain of reduction, since at 
each step the only reduction rule that can apply is congruence. □ 

Lemma 22. Ifu ~» p u 1 and m ~» p m', then [u/x]m ~> p [u! /x]m'. 

Proof. By induction on m ~~» p m' □ 
Lemma 23. IfM y M', then [u/x]M y [«/x]M'. 

Proof. Expanding the definition of y we get M -w* M\ and M' ~> p Mi for some M\ . Repeatedly applying 
Lemma 



22 



we then get [u/x]M [u/x]M\ and [u/x]M' -~~+* [u/x]M\ as required. □ 



Lemma 24 (One-step diamond property for ~» p ). If m ~» p m\ and m ~~> p m2, f/iere ex/sfs some m' 
such that mi m ' ond «?2 "^p 

Proof. By induction on the structure of m. We only show the case when m is an application m\ m%, as 
this case contains all the ideas of the proof. 

Case m is my m2 We consider all possible pairs of ways that m\ mi can reduce. 

• One reduction is SC.REFL. This case is trivial. 

• Both reductions are SC_APP. That is to say, m\ mi ~~» p m\\ mn and m\ mi ~~* p m\i mn, where 
m\ mn, m \ ^p m 2i> m i ~* p m2i and mi ~> p m22- 

By the induction hypothesis for mi, there exists m[, such that mn ~~» p m'j and m2i ~» p m' 2 . 
Similarly for m2. So by SC_APP we have m\\ mn ~~> p m'j m 2 and mi2 mn ~~> p m'j m 2 as 
required. 

• One reduction is SCAPPBETA. So it must be the case that mi m2 is (Ax. mo) u. By considering 
cases, we see that only only possibilities for the other reduction is SCLAPPBETA and SCLAPP. 
In the case when the other reduction is SC_APP, we see that the only way that Ax. mo can step 
is by congruence when mo ~» p mo2- So we have: 

(Ax. mo) u ~» p u\ .v ///(> i where mo ~» p moi and u ~» p u\. 
(Ax. mo) u ~-* p (AX./M02) ui where mo ~» p mo2 and u ~> p ui. 



Now by IH we get m' and u' . By substitution (lemma 22 1 we get \u\/x\mQ\ ~> p [u'/x]m' Q , 
while by SCLAPPBETA we get (Ax.mo2) "2 ~^p [u' /x]m' . So the terms are joinable as required. 
On the other hand, if both the reductions are by SC_APPREC, then we have 

(Ax. mo) u [wi/x]moi where mo ~> p moi and u ~-» p u\. 
(Ax. mo) u ^ p [«2/x]mo2 where mo ~» p mo2 and u ~» p ui. 



Then by IH we again get m' and u' , and by substitution (twice), the two terms are again 
joinable at [u' /x}m' . 
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• One reduction is SC_APPREC. So m\ m 2 must be (rec/.u) ui- By considering cases, we see 
that the other reduction must be either SCLAPPREC or SCLAPP. 

If the other rule is SC_APP we note that the only way rec/.u can step is by congruence to 
rec/.u w p rec/.u, so we have 

(rec/.u) U2 ^ p ([rec/.u//]«n) uzi where u\ ~~+ p u\\ and M2 «2i 
(rec/.u) M2 ~» p (rec/.u) M22 where wi ~~* p u\2 and «2 "22 



Now, by IH we have u\ and u' 2 . By congruence, rec/.u ~» p rec/.u, so by substitution 



(lemma 22 1 we get [rec/.u//]wn ~» p [rec/.u//]^, and then by congruence ([rec/.u//]«n) U21 
([rec/.u//]i<j) u' 2 . Meanwhile, by SC_APPREC we have (rec/.u) M22 ([rec/.u//]^) w 2 as 
required. 

On the other hand, if both reductions where by SCAPPREC, then we proceed in the same 
way, but conclude by using the substitution lemma for both expressions. 

• One reduction is SC_ABORT. So mi mi must be abort m 2 or u\ abort. Then by considering 
possible cases, we see that the other reduction must be SC .ABORT or SC_APP (the /3-rules 
cannot match because abort is not a value). If the other rule is SC_AVORT we are trivially 
done, if it is SC_APP then the term steps to u\ abort, which can step to abort as required. 

□ 

Lemma 25 (Confluence of ~» p ). Ifm ~»* mi and m ~»* m 2 , then there exists some m' such that m\ ~~>* m' 
and m 2 m'. 



Proof. This is a simple corollary of the 1-step version (lemma 24 1, by "diagram-chasing to fill in the 



rectangle" (see e.g. [5], lemma 3.2.2). □ 

Lemma 26 ( Y is an equivalence relation). 

1. For any m,m~%m. 

2. Ifm Y n then « Y m - 

3. If mi Y m 2 an d mi Y tn$, then mi Y m 3- 

Proof. (1) and (2) are immediate just by expanding the definition of m Y n and m ~~»* n. 

For (3), by expanding the definition we have some ni and n 2 such that mi n\, mi ~~»* n\, m.% ~~+* ni 
and m3 ~>* n 2 . So by confluence (lemma 25 ) applied to the two middle ones, there exists some n such 



that ni ~^ P n and n 2 -^>* n. Then we have mi ~^>* n and m^ n as required. □ 

Lemma 27. IfN w p N', then [N/x]M ~» p [N'/x]M. 
Lemma 28. IfN Y N', then [N/x]M y [N'/x]M. 

Proof. Expanding the definition of Y we have N Ni and N' ~» p Ni for some N\. Now repeatedly 



apply Lemma 27 to get [N/x]M -w* [Ni /x)M and [N'/x]M [Ni /x]M. □ 



Lemma 29. Ifm ~» p m', then FV (m!) C FV (m) 
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B.3 Structural properties 

Lemma 30 (Free variables in typing judgments). IfH h m: M, then FV (m) C dom (H) and FV (M) C 
dom (//). 

Lemma 31 (Regularity for contexts). IfH h m : M m<m h //. 

Lemma 32 (Regularity for variable lookup). IfH\,x : M,H 2 h « : AT, #i h M : 

Lemma 33 (Context conversion). If H,x : M,H' \- n : N and H h join : M = M' and H\- M' : f/ien 
H,x:M',H'\-n:N. 

Lemma 34 (Substitution). Suppose H\\- : M\. Then, 

• IfH\,x\ : Mi, #2 \~ m:M, then Hi, [u\/x\]H2 h [u\/x\]m : \u\/x{\M. 

• If\-H\,xi :M\,Ht_, thenh Hi,[u l /xi]H 2 . 
Lemma 35 (Regularity). //// hm:M, f/jen H\- M 

Lemma 36 (Data constructors are unique in the environment). If\~ H, and 

: iei..j- 



data DE+ where { rf,- : S,- ->• D S+ 

data D'E + ' where : S • — > D' E+ /!el "' / } e //, 
anJ J/t = J/', D = D' and S + = E +/ a«J = Ej. 

B.4 Inversion Lemmas 

We need one inversion lemma for each introduction form that has a computationally irrelevant eliminator. 
These proofs are all similar, so we only show the representative case for A. 
We first need some basic facts about equality. 

Lemma 37 (Inversion for equality). IfH h m = n : Mo then, Hh m:M and H h n : N. 

Proof. Induction of H h m = n : Mo. The only cases where the subject of the conclusion of the rule 
is an equality are ET_EQ (where we get the result as a premise to the rule) and ET_CONV (direct by 
induction). □ 

Lemma 38 (Proof irrelevance for equality proofs). IfH h u : M = N, then H h join : M = N 



Proof. By regularity (lemma 35 I we know H h M = N : *, so by inversion (lemma 37 1 we have H\- M : *. 
So by ET.TJOIN, H h join : M = M. 

Now by ET_TCONV we get // h join : M = N by using the assumed proof m to change M to N. □ 

Lemma 39 (Prepositional equality is an equivalence relation). 

• IfH h m : M, then H h join :m = m. 

• //// h m : mi = w?2> ^Acw // h join : m2 = mi. 

• IfH h u : mi = ni2 and H\- u' :m2 = m^, then H h join : mi = m3. 

Proof. (1) is just a special case of ET_J0IN. 

(2) We have H h join : mi = mi, so we can use the assumed proof to change the left mi to an m%. 

(3) Use the assumed proof u to change the type of u' . □ 
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Lemma 40 (Inversion for X). IfH h Xx.n : M, then H h join : (x:Mi) — >■ iVi = M/or some Mi and Ni, 
and H,x :M\\- n:N\. 

Proof. By induction on H h Xx.n : M. Only two typing rules can have a A as the subject of the conclusion. 
Case ET ABS The rule looks like 

H,x:Mhn:N 



HhXx.n : (x:M) -> N 



ET_ABS 



By ET.JOIN we have H h join : (x :M) — > N = (x :M) -> Af, and we have //,x : M h n : W as a 
premise to the rule. 

Case ET CONV The rule looks like 

Hh u\ :M\ = N\ ... H<ru i :M i =N i 
HV-rn: [M 1 /x l ]...[M i /x i }M 
HY- [N l /x l ]...[N i /x i }M :* 



-ET_CONV 



HY-m: [N { /x { ]...[Ni/x,]M 

By IH we get that [Mi/xi] ... [M{/xi\M is propositionally equal to an arrow type, with n being 
typeable at the "unwrapping" of that type. So if we can show that [Ni/x\] ... [Ni/xt]M is proposi- 
tionally equal to that same arrow type, then we are done. 



But note that by regularity, inversion and reflexivity (lemmas 35 37 39) we have H h join : 



[Mi/xy] ... [Mj/xi]M = [Afi/jci] ... [Mi/xi\M. By applying ET.CONV using the proof u\...Ui we get 



H\-\6m : [M\/x{\ ... [M,-/jCj]M = [N\/x\] ... [Ni/xi]M. Then by transitivity (lemma 39) we have that 
[Ni/xi] ... {Nj/xi]M is propositionally equal to the arrow type as required. 

□ 

The remaining inversion lemmas follow a similar pattern, so we omit the proofs. 

Lemma 41 (Inversion for irrelevant A). IfH\~X[}.n :M, then H h join : [jc:Mi] — > N\ = M for some M\ 
andN\, and H,x : Mi h n : N\ where x ^ FV(n) . 

Lemma 42 (Inversion for rec). IfH h rec/.u : M, ?/j<??i // h join : M = Mi arcd H,f :M\r- u:M\ for some 
Mi such that H h Mi : * and Mi ij arc relevant or irrelevant arrow type. 

Lemma 43 (Inversion for dcon). IfH h rfm; : M, f/ierc h join : DA 7 , = Mfor some Ni such that: 

• data DS + where {c?,- : E; — > £) S+' £l ; } 6 H and d is difor one of the constructors in the declara- 
tion. 

• HhNr.Z 

. HV-mr. pV*/S]S; 

B.5 Preservation 

Lemma 44 (A conversion rule for value lists). If H \- uj : [Mi/yj]E and V/. H h join : M, = A 7 , and 

Proof. We proceed by induction on the structure of S. 
Case empty. Trivial. 
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Case (x : M)E. By inversion on the assumed judgments, we know 

H h u : \M~i/yi]M 
H h \Mi/yi]M : * 
H h ~ui : [u/x]\Mi/yi]E 



ETL_CONS 



//H M m7:(x: [M ; /^]M)[M ; /^]S 
and 

^H,x:Wi/Ti\MM/yi\Z. 
By inversion on this, we have H h [Ni/yj\M : *. 

Now since we know Vi. H h join : M,- = iVj and // h [Wi/yj]M : then by ET_CONV we have 
HY- u:\NilYi\M. 

By substitution (lemma 34 1 we get h H, [u/x]\N~i/yi]'E. We know u is well-typed, so by ET_J0IN 
we have H h join : u = u. Then by IH, taking the multi-substitution to be [u / x][Mi /Yi\, we get 
HhMj: [u/x] [Ni/yi]E. So re-applying ETL.CONS we get 

HhuUi:(x:WMM)Wily^ 

as required. 

Case [x : M]S. This case is similar. Inversion on the first assumed judgement now gives 

# h w : \Mi/yi]M 
H h [M,-/j7]M : * 
ffhB/: [«/jc][Hi/57]E 

^=-^ — -== ETLXONS 

Hh\\Wi-.(x-.Wi/yi\M)\Mi/yi\z 

By reasoning as in the previous case we get H\- u : pV^/yjjM and // h [A^/y^M : * and H \- u] : 
[u/x]\Ni/y~i\& Then re-apply ETL_lCONS. 

□ 

Theorem 45 (Preservation). 

1. IfH \- m: M and m ~» p m', then H\- m! :M. 

2. IfH\-rnj:[ni/yi]...[ni/yi]Eand\/i. nij ~~» p m- andVj. nj ^ p n'j, then H hmj' : [n\/yi] ...[n' l /yi]'E. 
Proof. By mutual induction on the two judgments. The cases for H h m : M are: 

Cases ET.TYPE, ET.VAR, ET.ABORT, ET.JOIN, ET.INJDOM, ET_INJRNG, ET.IINJDOM, ET.IINJRNG, 
ET_INJTCON. 

These expressions can not step except by SP-REFL, so the result is trivial. 
Case ET.CASE. The rule looks like 

ThA :* 

-iei..l. 



data DA+ where { d t : A, ■ D A+ "}er 
Vi. T, [Wi/A+}Ai,y : b = d d A, h a, : A 
Vi. {y}U£/ojn-(A/)#FV(|fli|) 



-T_CASE 



r h caseft as [y] of { J; A,- =£- a; " } : A 

■je\..k- 



We consider the ways the expression case« of { djXy => nij " } may step: 
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To casen' of { djxjj => m'j } by SP.CASE when n ~~* p n and V/'. ray 
By IH we get H\- n: Dnj. Also by IH, for each j we have 

H, [nj/E]Ej,y : n = djEj h raj : M. 



Now by regularity (lemma 32 1 and inversion (lemma 37 ) we know that dj Ey is welltyped in 



the context H, [Wi/Z + ]Zj. And we already observed that n and n' are welltyped. So n = djEj 
and n' = djEj are wellformed equations. Since n = djEj ~*~* p n' = djEj, by ETJOIN we have 
H, [nj/E + ]Ej h join : (n = dj Ej) = (n' = dj Ej). So by context conversion (lemma 33 1 we have 



H, [ffi/E + ]Ej,y : n = djEj h raj : M. 



Then we can re-apply ET_CASE to get the required 



H h casen' of { flf/JCy =>• raj } : M . 

To [i<i'/jc//]mj by SP_CASEBETA when « is diUj, and V/. w ; - ~-* p «• and ra/ -w p ra^. Notice that 
the step rule in particular requires that d\ is one of the branches of the case expression. 



By inversion (lemma 43 1 on the premise ff h du\ : Drii, we know that H h n : DNi with 
H h join : DA^ = D«J, and H \~N~i : Z + and H \- Hi : [A^/S+]S,-. (We know that the D, S 
and S, that come out of the lemma are the same as the ones in the typing rule because data 



constructors have a unique definition in the context (lemma 36 1). 

By the rule INJTCON we get H h join : /V,- = «, for each i. So by value-list conversion 



(lemma 44 1 we have H\- Ui\ [«,/S + ]S/. 



We next claim that H ,y : diul = diu{ V [wZ/E/jraj : M. To show this we prove a more general 
claim: for any prefix u \ . . . u' k of ui, and supposing S/ has the form (x\ : Mi) ... (x^ : Mjt)So, 
we have 



H, [u\/xi] ... [u' k /x k ][ni/E + }Eo,y : [u' x /xi] ... [u' k /x k ](diUi ■■ 
h [wi/xi] ... [u' k /x k ]mi : [u\/x\] ... [u' k /x k ]M 



d{Ei 



This follows by induction on k (by applying substitution, lemma[34} k times). So in particular, 
we have 

H,y : [u]' /Ei](diuj = diE{) h [uf /E/]m/ : [w/'/ 2 /]^ 

But by the premises H\- M and H \- diui : Dnj together with lemma [30| we know that 
are not free in diuj or M, so this simplifies to 

H,y : cf/M; = diUi h [wj /E/]mJ : M 

as we claimed. 

Next, we know diui is well-typed because that is a premise to the rule. By the mutual IH we 
have that ff h diuf : so cf/M;' is well-typed too. So by ET_JOlN we have H h join : = 
J/iTj'. Then by substitution (lemma [34]> again we have 



H H [join/j][M//S/]ra; : [join/y]M. 



But as a side-condition to the rule (plus lemma 29 1 we know that y ^ FV (ra$) , and y is a 



bound variable which we can pic so that y ^ FV (M) . So we have in fact show the required 



H h [Wi'/Eijm'j : Af. 
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• To abort by SP_ABORT. By regularity (lemma 35 1 on the original typing derivation we know 
that H h M : *, so by ET_ABORT we have H h abort : M as required. 

Case ET_PI. The rule looks like 

H\- M H,x :M\~N :* 

-ET_PI 



Hh(x:M) -> N :* 
The only way (x:M) — >• N can step (except trivially by SP_REFL) is by SP Pi: 

(x:M) ->N^ P (x:M') -> W whereM^ p M' andN ~» p W 
We must show H \- (x:M') ^ N' : *. 

By IH we immediately get // h M' : * and H,x : M \- N' : *. Since M ~~» p M' we also have M Y Af', 
so applying ETJOIN we get // h join : M = M' . Then by context conversion (lemma 33 1 we get 
H,x: M' \- N' :*. We conclude by re-applying ET_PI. 

Case ET_IPI Similar to the previous case. 

Case ET ABS . The rule looks like 

H,x:M\-n:N 

-ET_ABS 



HhXx.n : (x:M) -> N 

The only non-trivial way the expression Xx.n can step is by SP_ABS to Xx.n' when n~^ p n' . By IH 
we get H,x : M \- n' : N. So re-applying ET_ABS we get H h Ajc.n' : (x:M) — >• A 7 " as required. 

Cases ETJABS, ET_REC. 

These are similar to the previous case. For IABS, note that the free variable condition is preserved 



by lemma 29 



Case ET.TCON. The rule looks like 



data DE+ where {d t : Ej -> DE+' eLj }6 H 
//hM- :S+ 

= ET.TCON 

H h DMi : * 

The only way the expression can step is by SP_TCON, so V/. M, ~~* p M\. By the mutual IH, we get 
H h M,' : S + . So by re-applying ET_TCON we have H h DM, : * as required. 

Case ET_ABSTCON. Similar to the previous case. 

Case ET_DCON. The rule looks like 

-iel.j- 



dataDS + where {<i,- : S,- —>■ D E+ 



H\- dktrii : DM; 



-ET_DCON 



By the mutual induction hypothesis (with an empty substitution) we get H h Mj • : S and // h m, : 
[M,-/E]E,-. Conclude by re-applying ET_DCON. 



154 



Irrelevance, Heterogeneous Equality, and CB V 



Case ET_APP. The rule looks like 



Hhm: (x:M)^ N 

Hhn:M 

Hh[n/x]N:* 

ET_APP 

Hh mn : [n/x]N 

We consider how the expression m n may step. 

• To m' n' by SP_APP if m ~~» p m' and n ~~» p n'. 

By IH we have H\- m' : (x:M) ^ N and H h n' : M. By lemma 



27 



we know [n/x]N 



[n'/x]N, so also by IH we have H h [n'/xjA 7 ' : *■ So re-applying ET_APP we get H\- m' n' : 
[n'/x]N. 

Finally, by etjoin we have H h join : [n/xjAf = [n'/xjAf, and hence by et_conv we get 
H\- m' n' : [n/x]N as required. 

To [u'/x]m\ by SP_APPBETA if m is \x.m\ and n is w, and mi w p and w -w p w'. 
By IH we have H\- u' : M. Also, Xx.m\ ~~+ p Xx.m[ so by IH we have H h Ax.m'j : (x:M) — >• 
A". By inversion (lemma [40]) we know that H,x : M\\- m\ : N\ for some M\,N\ such that 
// h join : (x:Mt) — > Ni = (x : M) ->■ A". By ET_lNJDOM we have // h join : Mi = M, and 



byregularity (lemma 32 1 we have Hh Mi : *, so by ETXONV we get u' :M\. Now by 



substitution (lemma 34 1 we get 



// h [u! /x]m\ : [i/ /x]Ni. 



Now, by ET_INJRNG we have // h join : [w'/xjA^i = [u'/x)N. Also, by lemma 27 we know 



[u/x\N ^ p [m'/xJA^, and we noted above that H h [i//x]iV : *, so by ET_J0IN we have H h 
join : [it/xjA 7 = [u! /x]N. By symmetry and transitivity (lemma 39 1 this yields H h join : 

[ M '/x]7Yi = [u/x]iV. 

Finally, we had H h [w/xjA 7 : * as a premise to the rule. So by ET_CONV we get the required 

H h [w'/x]mi : [w/xjA'. 

To ([rec/.u//]Mi) by SP_APPREC if m is rec/.u, « is 112, and wi ^ p m'j and ui ~> p i/ 2 . 
By IH we have H\- m'-M. Also, since rec/.u ~» p rec/.u, by IH we have H h rec/.u : (x : 

U2/x]N ~»p [m 2 /x]N, by IH we get // h [^/xjA" : ★. 
we know //,/ : Mi h Mj : Mi for some Mi such that H h join : Mi = 



M) — >• A". And since by lemma 
By inversion (lemma 
(x : M) — > N and H\- M\ : * and such that Mi is an arrow type. 

So by the ET_REC rule, we get H h rec/.u : Mi. Then by substitution (lemma 34 1 we have 
HI- [rec/.u//K 

By regularity (lemma 35 1 on the original premise of the rule we know H h (x :M) — > A" : 
so by ET_CONV we have // h [rec/.u//]wj : (x:M) -> A 7 '. Then re-apply ET_APP to get 

H h ([rec/.u//]«i) w' 2 : [4/x]^. 

As we noted above [i^/xjA" ~» p [t^/xjA 7 , and both expressions are well-kinded, so by ET_J0IN 
we know H h join : [i^/xjAf = [u2/x]N. So by finally applying ET_CONV we get the required 



H\- ([rec/.u//] itj) 4 : [m/x]N. 
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• To abort by SP_ABORT. By regularity (lemma |35j) on the original premise we know H h 
[n/x]N : *. So by ET_ABORT we have H h abort : [n/x]N as required. 

Case ET_IAPP. The typing rule looks like 

Hhm: [x:M] -t N 
H\- u:M 
ffhm[]: [u/x]N 



-ETJAPP 



We consider how the expression m[] may step: 

• To m'W by SP_IAPP if m -v-> p m'. By IH we know H h m' : [x:M] 
ET.IAPP we get ffhm'l : [u/x]N as required. 

• To m\ by sp_iappbeta if m is X [] .m\ and m\ 



N, so by re-applying 



Note that A[].mi ~~* p AQ.ra'j, so by IH we get H \- : [x:M] — > N. Then by inversion 



(lemma [41]) we know H,x:M\h n:N\ for some Mi and A^j with H h~ join : ( [x : M{\ — >• A^i) 
([x:M] -»■ AT), andx ^ FV^) . 



Now, we have H h w : M as an assumption to the rule. By regularity (lemma 35 ) on that 
assumption we get H h M : and by ET_llNJDOM we have // h join : Mi = M. So by 



ET.CONV we get H h w : Mi. Then by substitution (lemma 34 1 we get 

//h [w/x]n : [u/x]N\. 

Since we know x is not free in n this is the same as saying H\- n: [u/x]N\. Furthermore, by 
ET_llNJDOM we get H h join : [w/xjA^i = [u/x]N, and by regulaiity on the original derivation 
we have H h [«/x]A^ : So by ET_CONV we get the required 

H\-m': [u/x]N. 

To ([rec/.u//]«j)[] by SP.IAPPREC if m is rec/.u and «i ~» p u[. 
Note that rec/.u ~-+ p rec/.u, so by IH we know H h rec/.u : [x:M] 



A^. By inversion 

(lemma 42 1 we get that H,f : Mi h u\ : Mi for some arrow type Mi such that H h join : Mi = 
[x:M] — >■ A 7 " and H h Mi : By ET_REC we then have // h rec/.u : Mi, hence by substitution 
(lemma [34]> we have 

# h [recf.u/f]u\ :Mi. 



By regularity (lemma 35 ) applied to the original typing rule we know H\- [x:M] 
by ET_CONV we then have 

H h [rec/.u//]tfi : [x:M] -»• AT. 
So re-applying ET_IAPP we get the required 

//h([rec/.u//-] M , i)[]:[ M /x]^V. 

To abort by SP_ABORT. 



By regularity (lemma 35 1 applied to the original type rule we know H h [u/x]N : *, so by 
ET_ABORT we have 

HY- abort : [m/xJA 7 

as required. 
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Case ET_EQ. The rule looks like 

Hhm:M Hhn:N 

■ ET_EQ 

H\- m = n:* 

The only non-trivial way the expression m = n can step is by SP_EQ to m' = n', when m m! 
and n~^ p n' . By IH we immediatly get H h m:M and H \- n : N, and we conclude by re-applying 
SP_EQ. 

Case ET.CONV. The rule looks like 

H\-ui:Mi=Ni ... H < ru i :M i =Ni 
HY-m: [Mi/xx]...[Mi/xi]M 
HY- [Ni/x-L]...[Ni/xi]M:-k 

= — = — ET.CONV 

H\-m: [N l /x l \...[N i /x l ]M 

and we know that m -w p m! . Directly by IH we get H h m' : [Mi/xi] ... [M,/x,]M, and conclude by 

re-applying ET_CONV. 
The cases for H h TFTj : S are: 
Case ETL EMPTY. Trivial. 

Case ETL CONS. After pushing in the substitution, the rule looks like: 

H\-m: [n l /y l }...[n i /y i ]M 

HY-[n 1 /y 1 ]...[n i /y i ]M:* 

HhfFTi: [m/x)[ni/y\]...[ni/yi)E 

ETL CONS 

Hhmrni:(x: [ni/yi] ... {n i /y l ]M)[ni/y\\ ... [«i/y,-]E 

By mutual IH we have H\- m' : [ni/yi] ... [«,/y,]M. 

By repeatedly applying lemma 27 we know [m /yi] ... [nj/y/jM ~» p [n^/yi] ••• [«-/y;]M, so by mutual 
IH we get H h K/yi] ••• [n'i/yi]M : ★. 

By et_join we then have // h join : \n\/y\] ... [n,/y,-]M = [n'j/yi] ... [n'Jy^M, so by et.conv we 
get HY- m : [n'Jyi]... [n'Jy^M. 

Finally, by the IH (using that m -~~+ p m') we haweHY-mj' : [m'/jcjfn'j/yi] ... [nJ./y;]E. Sore-applying 
ETL_CONS we get the required 

HY-m'mf : [n'i/yi] ... [nJ/y,-]E. 
Case ETL ICONS. After pushing in the substitution, the rule looks like: 

HY-u: [n l /y{\...[n i /y i ]M 
HY-[m/y l ]...[n i /y i ]M:* 
HY-ny: [u/x}[n x /yi} ... [m/y^ 



tfh [} mi : [x : h/yi] ••• [ni/yi]M][ni/yi] ... [m/y^Z 



ETL_ICONS 



By repeatedly applying lemma 27 we know [ni/yi] ... [rij/yijM -~~* p [n'j/yi] ... [n'Jy^M, so by mutual 
IH we get H h K/yi] ... K-/y;]M : *. 

By ET.JOIN we then have H h join : [«i/yi] ... [n,/y,-]M = [n'j/yi] ... [n{/y,-]M, so by ET.CONV we 
get HY-u: K/yi] ... [n'Jy^M. 

Finally, by the IH (using that u ~-* p w, reflexively) we have H Y-fn/ : [u/x][n[/yi] ... [n|-/y,-]E. So 
re-applying ETL_CONS we get the required 

ffh[]^:K/yi]-[";/y«]s. 

□ 
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B.6 Progress 

Lemma 46 (Soundness of equality). If Ho h u : M and M Y (m\ = n\), then m\ Y «i. 

Proof. Cases ET_TYPE, ET_PI, ET_IPI, ET.TCON, ET.ABSTCON, ET.DCON, ET_ABS,ET_IABS, ET.REC, 
ET_EQ. 

The M in the conclusion of these rules have a defined head constructor, which is not =. So by 
lemma [20) M cannot be joinable with m\ =n\. 

Cases ET CASE, ET APP, ET IAPP, ET ABORT. These expressions are not values. 

Case ET VAR. This is impossible in an Ho context, since it doesn't contain any variable declarations. 

Case ET JOIN. The rule looks like 

m Y n 

H\- m = n : * 

-ETJOIN 



H h join : m 



By injectivity (lemma 21 1 we have have m~% m\ and n Y "l- And by assumption we have m Y n. 
So by symmetry and transitivity (lemma 26 ) we have m\ Y n\ as required. 

Case ET.CONV. The rule looks like 

HVu\:M\=Ni ... Hhur.Mj=Ni 
H'rm: [Mi/jci] ... [Mi/xj\M 
Hh [Ni/xi}...[Ni/xi]M:* 

Hhm: [N l /xi]...[N i /x i ]M 



-ET_CONV 



and we are given that that [Ni/xi] ... [Nj/xj]M Y (mi =n\). By the IH for m it suffices to show that 
[Mi/xi] ... [Mi/xj]M Y (m\ = n\). 



But by the IH for w, we know M,- Y Ni, so we get this by repeatedly applying lemma 28 
Case ET_INJRNG. The rule looks like 

Hhui : (x:M) ->• JVi = (x:M) -»• A^ 2 
H\-u:M 

-ET.INJRNG 



//hjoin : [m/jc]ATi = [m/x]^ 



and we are given that ([w/xjA^i = [w/xjA^) Y ( m i =«i)- 

By IH we get (x:M) — >■ Ni Y (x:M) — >• N2, so by injectivity (lemma 21 1 we know A/j Y Ni- Then 
by lemma 23 we get [u/x]N\ Y [«A]A^2 as required. 

Case ET.INJDOM, ET_IINJDOM, ETJINJRNG, ET.INJTCON. Similar to the previous case. 



□ 



Lemma 47 (Canonical forms). Suppose Ho \~ u:M. Then: 

1. IfM Y (x:Mi) —> Mi, then u is either Xx.u\ or rec/.u. 

2. IfM Y [x:Mi] — > M%, then u is either X[].u\ or rec/.u. 



3. IfM Y DM, then u is duj, where data DS + where {dj : S,- — > D E + ' el " J } E Ho andd is one of the 
dj. 
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Proof. By induction on Ho h u : M. The cases are: 

Cases ET.TYPE, ET_PI, ET_IPI, ET.TCON, ET.ABSTCON, ET_EQ, ETJOIN, ETUNJRNG, ET.INJDOM, 
ET_IINJDOM, ET_IINJRNG, ETJNJTCON. 

The M in the conclusion of these rules have a defined head constructor, which is not one of the 



interesting ones. So by lemma 20 M cannot be joinable with one of the interesting types. 
Cases ET.CASE, ET_APP, ET_IAPP, ET_ABORT. These expressions are not values. 
Case ET VAR. This is impossible in an Ho context, since it doesn't contain any variable declarations. 
Cases ET_DCON,ET_ABS,ET_IABS. The type in these expressions is joinable with one of the interesting 



ones, and by lemma 20 it can be joinable with at most one of them. The expression in the rule does 
indeed have the required form. 

Case ET REC. The rule looks like 

H,f : M h u : M 
H\- M :-k 

Mis {x:Mi) ->■ M 2 or [x:M{\ — > M 2 



ET_REC 



Hh rec/.u :M 

We know from the side condition to the rule that M is a relevant or irrelevant arrow. Then the 
expression does indeed have the required form. 

Case ET.CONV. The rule looks like 

H\-ui:M 1 =Ni ... Hhur.Mj=Nj 
Hhm: [M l /xi]...[M i /x i ]M 
H h [N { /x { ]...[N i /x l ]M :-k 



ET.CONV 



Hhm: [N l /xi]...[N i /x i }M 

Suppose, for example, that [N\/x\\ ... [Ni/xj]M Y {x:M\) — > N\. By the IH for m ut suffices to 
show that [Mi/xi] ... [M//x;]M Y (x:Mi) — >■ N\. 

But by soundness of equality (lemma [46]), for each u\ we know M,- Y so we get this by repeat- 
edly applying lemma [28] 

□ 

Theorem 48 (Progress). If Ho \~ m: M, then either m is a value, m is abort, or m -^ c t> v m' for some m'. 
Proof. By induction on Ho \~ m: M. The cases are: 

Cases ET_TYPE, ET_VAR, ET_PI, ET_IPI ET_TCON ET_ABSTCON, ET_EQ, ETJOIN, ETJNJDOM, ET_INJRNG, 

ET_IINJDOM, ET_IINJRNG, ET.INJTCON, ET_ABS, ET.IABS, ET_REC. 

These rules have a value as a subject. 
Case ET_CASE. The typing rule looks like 

Hhn:DnJ 
H h M :* 

-iel.i- 



dataDS + where {J,- : —)• D S+ } e H 
V/. H, [n~i/Z + ]Ei,y : n = djEj h m; : M 
V/. {y}Udom"(E,-) # FV(m ; ) 
xjj is dom + (S,-) 

H h caseraof {djTjj m,' e " } : M 



ET.CASE 
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By IH, we have that n is either a value, is abort, or steps. If it steps, the entire expression steps by 
SC_CTX. If it is abort, the entire expression steps to abort by SCLABORT. 

Finally, suppose n is a value. By canonical forms (lemma |47j) we know that it must be of the form 
duj, and defined by a datatype declaration for D in the context. Since datatype declarations are 



unique (lemma 36 ), it must be the same datatype declaration that is mentioned in the typing rule 
above. So the case expression has a branch for d, and can step by SC.CASEBETA. 

Case ET DCON. The expression is dny. By IH, each of the m, is a values, is abort, or steps. If they 
are all values, the entire expression is a value. Otherwise, if the first non- value is abort the entire 
expression steps by SCLABORT, and if it steps the expression steps by SC_CTX. 

Case ET_APP. The rule looks like 

Hhm:(x:M) -> N 

Hhn:M 

H\-[n/x]N:* 

ET_APP 

H h mn: [n/x]N 

By IH, m and n either, step, are abort is are values. If m steps, the entire expression steps by 
SC_CTX. If it is abort the entire expression steps by SC_ABORT. So in the following we can assume 
it is a value. 

By similar reasoning, we can assume n is a value. 



Now, by canonical forms (lemma 47 1 we know that m is either Xx.m\ or rec/.u. If it is Xx.m\ the 
entire expression steps to [n/x]m\ by SC_APPBETA, while if it is rec/.u the entire expression steps 
to ([rec/.u//] wi) nby SCLAPPREC. 

Case ET_IAPP. The rule looks like 

H\-m: [x:M] -> N 

Hhu:M 
■ = — — — ETJAPP 

ffhm[j: [u/x]N 

By the IH, m either steps, is abort or is a value. If m steps, then the entire expresions steps by 
SC_CTX and the context •[]. If it is abort, the entire expression steps to abort by SC_ABORT and 
the same context. 



Finally, m may be a value. In that case, by canonical forms (lemma 47 1, m is either A[]./ni or 
rec/.u. If it is A \\.m\, the entire expression steps to m\ by SC_IAPPBETA. If it is rec/.u, then the 
entire expression steps to ([rec/.u//]«i)[] by SC_IAPPREC. 

Case ET ABORT. The subject of the typing rule is abort. 

Case ET.CONV. Follows directly by IH. 

□ 



B.7 Regularity and substitution for the annotated language 

While not needed for the type safety proof, in this section we supply proofs of regularity and substitution 
for the annotated language. This is of interest because it proves that the "value-dependent" application 
rule is admissible in our system. 

Lemma 49. IfTha: A, then FV (a) C dom (r) and FV (A) C dom (T). 
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Lemma 50 (Weakening for h R). Ifh F,F' then h R 

Lemma 51 (Weakening for the annotated language). IfY\- a: A and h T, R then r,V \- a :A. 
Lemma 52 (Substitution commutes with erasure). We always have \ [a/x]b\ = [\a\/x]\b\. 

Proof. By induction on b. □ 

Lemma 53. Ifm ^ c bv m ', then [uo/xo]m -^ c bv [uo/xo]m!. 

Proof. By induction on m ^ c b v m> ■ The cases are: 

SC_APPBETA. The assumed step is (Xx.m) u -^ c bv [u/x]m, and we must show [uo/xo]((Xx.m) u) -^ c bv 
[uq / xo][u / x]m. 

Pushing the substitution down we know [uo/xo]((Xx.m) u) = (Xx.[uo/xo]m) ([uq/xo)u), which 
steps to [[uo/xo]u/x\[uQ/xo]m. Since x is a bound variable we can pick it so that x ^ FV(wo) • 
Then [[woAoJw/x] ["oAo]" 1 = [uo/xq] [u/x]m as required. 

SC CASEBETA. Similar to the previous case. 

SC-APPREC. The assumed step is (rec/.u) U2 ^ c bv ([i , ec/.u//]wi) U2, and we must show 

[wo/*o]((rec/.u) u 2 ) ^ cb v [woAo](([rec/.u//]wi) u%). 

Pushing down the subsitution we know [uq / 'xo]((rec / '.u) u 2 ) = (rec/.u) {[uq/xq\U2), which steps 
to ([(rec/.u)// , ][wo/xo]wi) ([uq/xo]u 2 ). 

By picking the bound variable / so that/ ^ FV(wo) we have [rec/.u//] [woAo]"i = [«oAo] [rec/.u jf\u\ 
as required. 

SC_IAPPREC. Similar to the previous case. 

SC_IAPPBETA, SC_ABORT, SC_CTX. Immediate by just pushing in the substitution. 

□ 

Lemma 54. If \ a\ ~~*^.[j V n, then \ \v/x\a\ ^i-bv [ | v | / x] M. 



Proof. By commuting the substitution (lemma 52 1 we know |[v/jc]a| = [|v| A]|a|. Then apply lemma 53 



to each step of the reduction sequence \a\ -^> l cby n. □ 

Lemma 55 (Substitution for the annotated language). Suppose T\ \~v\ :A\. Then, 

1. IfT\,x\ : AijTj \- a : A, then R, \yi/x\\T 2 F \y\/x{\a : [viAi]A. 

2. If\- R ,xi ' A\ : T2, then F R, [vi/jci]r2. 

Proof. By mutual induction on R ,x\ : A\ , R F a : A and \~T\,x\ : A\ , R. Most cases follow directly by 
IH. Two interesting cases are: 

Case T_VAR. We get F R, [vi Ai]R by the mutual IH. Then do a case-split on where in the context x 
occurs: 

• If x : A G R, then by T_VAR we have R , [vi/jti]R2 F x : A. 

By F R ,jci : Ai , R we know R F A : * for some prefix To of R , so in particular by lemma 49 
we know FV (A) C dom (r ), so x\ FV (A). 

Also, by F R,jci : Ai,R we know x ^ x\. So [vi/jci]* = x an d [vi Ai]A = A, so we have 
showed r, [vi/jci]R F [vi /x\]x : [vi Ai]A as required. 
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If x = x\, then [vi/xi]x = vi, so by assumption we have T\ h [vi/xi]x :A\. By the assumption 
h ri,JCi :A\,T% we know that x\ is not free in Ai, so [vi/xi]A = Ai and so we have shown 



Ti h [vi/jci]x: [vi/jci]A. Finally by weakening (lemma 5 1 1 we have T\ , [vi/xi]r2 \~ [vi/x\]x: 
[vi/xi]A as required. 

• If x : A G I~2, thenx : [vi/xi]A G [vi/xi]r2, so we have H, [vi/xi]T2 \~ x : [vi/xi]A by T_VAR. 
By the same reasoning as above we know x\ / x, so this shows T\, [vi/xi]r2 h [vi/xi]x : 
[vi/xi]A as required. 

Case T JOIN. The typing rule looks like 

\a\ W bv n \b\ ^ ; cbv n 

r h a = b : * 

r ,. ■ ^T_JOIN 

1 h }om a=b i j : a = b 



By lemma 54 we get |[vi/xi]a| ~-*J-bv " anc * l[ v iA]^l ~*cbv By ^ we nave ^i, [vi/jci]r2 h 

□ 



[vi/xi](a = b):~k. Then re-apply TJOIN. 



Lemma 56 (Regularity inversion for the annotated language). 

1. IfT h (x : A) — > B : Ao/or som<? Ao, f/ze« r h A : * and r,x : A h B : *. 

2. Tjf r h [x:A] — > B : Aofor some Aq, then T h A : * aw<i r,x : A h B : ★. 

3. IfT h a = b: Aofor some Aq, then T h a : A arcc? T h ^ : B/or some fy/?es A a«<i B. 

Proof. By induction on the assumed typing derivation. The only rules that can apply are the intro rule, 
which has the required statements as assumptions, and conversion, which goes directly by IH. □ 

Lemma 57 (Regularity for the annotated language). IfT h a : A, then T h A : * awcf h T. 

Proof. Induction on T h a : A. The cases are: 

Cases T.TYPE, T_PI, T_IPI, T_TCON, T.ABSTCON, T_EQ. 

By T_TYPE we have T h * : * as required. We get h T by IH (or assumption in the TYPE case). 

Cases T_CASE, T_REC, t_app, t_abort, t_join, t_conv. 

We have r h A : * as a premise to the rule, and h T by IH. 



Case T VAR. By inversion on h T plus weakening (lemma 51 1. 
Case T_DCON. By T.TCON, using the premise T h A~ t : A+. 

Case T_ABS. By IH we get T,x : A\- B : * and h T,x : A. Inversion on the latter gives T h A : * so by 
T_PI we get r h (x : A) — >• B : * as required. 



Meanwhile, weakening (lemma 50 1 on h T,x : A gives h T as required. 
Case TJABS. Similar to the previous case. 
Case TJAPP. By the IH we have r h [x : A] -> B : * and h T. 



Now by inversion on T h [x : A] — >• B : * (lemma 56 ) we get r,x : A h B : *. Then by substitution 



(lemma 55 1 we have T h [v/x]B : * as required. 
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Case TJNJDOM. By IH we have h T. Also by IH we have Th ((x:Ai) -)■ Bi) = ((x:A 2 ) ->■ B 2 ) : so 
by applying inversion (lemma 56 ) twice we get r h A\ : * and T h A 2 : *. Then by T_EQ we have 
r h Ai = A2 : * as required. 

Case TJNJRNG. By similar reasoning to the previous case we get V,x : A h B\ : * and F,x : A\- B\ : 
Then by substitution (lemma 55 1 we have Y h [v/x]Bi : * and T h [v/x]fi2 : *, so by T_EQ we have 
r h \y/x]Bi = [v/x]B2 '■ * as required. 

Case T IINJDOM, T IINJRNG. Similar to the previous two cases. 

Case TJNJTCON. By IH we have r h D A, = DA,' : *, so by applying inversion (lemma 56 1 twice 
we have T h A,- : A for some A. By inversion on that judgment we get F h Ak : and similarly 
r I- A' k : *. So by T_EQ we have r h At = A' k : * as required. 

□ 

Lemma 58 (Strengthening for the annotated language). If Ti,jti : A\,T 2 \- a : A andx\ is not free in T 2 , 
a or A, then T\,T 2 \- a : A. 



Proof. By induction on T\ ,xi : A\ , T 2 h a : A. 

Lemma 59 (Value application). The following rule is admissible. 

B 

-APP.VAL 



□ 



rhfl : (x:A) 
Thv:A 



fhiiv: [v/x]B 



Proof. By regularity (lemma 57 1 we have T h (x : A) 



r,x : A h B : Then by substitution (lemma 55 1 we have T h [v/x]B : *, so we can apply T_APP. 



B : So by inversion (lemma |56|) we know 

□ 



Lemma 60 (Nondependent application). The following rule is admissible. 

B 

-APP_NONDEP 



rha :A 
Fhb:A 



Proof. By regularity (lemma 57 
B : *. By strengthening (lemma 
also shows r h [Z?/x]fi : and we can apply T_APP. 



Fhab-.B 

I we have F h A — )■ B : so by inversion (lemma [56]) we have T,x : A h 
58 1 we have r h B : *. Since x is not free we know [b/x]B = B, so this 

□ 



